Microsoft has patched a vulnerability in its popular chat and conferencing app Teams, which could have allowed hackers to scrape user data and ultimately take over entire organisations’ accounts just by sending victims modified GIFs that look no different from regular moving images.
In an article on Monday, cybersecurity firm CyberArk said it discovered that two subdomains under the Microsoft Teams site were vulnerable to takeovers.
When victims received a GIF modified to point to these compromised subdomains on Teams chat, their browsers would try to load the image, at the same time sending their access tokens to either of the compromised subdomains. These tokens could allow hackers to read and send messages, create groups, add new users or remove users from groups and change permissions in groups, according to CyberArk.
CyberArk said it reported the vulnerability to Microsoft on March 23, and the software giant moved quickly to delete the misconfigured domain name server (DNS) records for the two subdomains that were exposed. Microsoft, which confirmed it worked with CyberArk to fix the vulnerability, issued a patch on April 20.
“While we have not seen any use of this technique in the wild, we have taken steps to keep our customers safe,” a Microsoft spokeswoman told the Post on Tuesday.
The security risk was discovered at a time when more companies are using remote working apps, as shelter-in-place orders and temporary business closures keep employees at home during the coronavirus pandemic. The surge of online users has seen a corresponding rise in cyber threats, with hackers targeting large organisations such as the World Health Organisation and Chinese government agencies in addition to regular users.
“As videoconferencing becomes the ‘norm’ for working, it is becoming normal for hackers to target this software,” said Ben Wootliff, head of the Asia cybersecurity practice at risk consultancy Control Risks. “Of course vendors are now responding to this increased scrutiny and patching the weaknesses, but we can expect to see this cat-and-mouse game go on indefinitely, or at least until our working modes change again and hackers identify a new area to target.”
“One of the biggest and the scariest things about this vulnerability is that it can be spread automatically, similar to a worm virus,” CyberArk wrote about the malicious GIFs. “The fact that the victim only needs to see the crafted message to be impacted is a nightmare from a security perspective.”
The cybersecurity firm said that while limiting internal communication to employees within the organisation would reduce exposure, it found that any interaction that included a chat interface with an outsider was enough to be affected by this vulnerability. This could include, for example, an invitation to a conference call with a candidate for a job interview.
Once they obtained a user’s access token, hackers could impersonate the victim and send more malicious GIFs to other employees, eventually affecting every user in the organisation active on either the desktop or web browser version of Teams, the cybersecurity firm added.
“Microsoft Teams is part of an extensive set of communication, productivity, and collaboration tools hosted on Microsoft’s cloud infrastructure,” said Douglas Brush, the vice president of cybersecurity solutions at legal consulting firm Special Counsel.
“What is interesting with technology such as this is it can potentially present a much larger attack surface area for attackers to exploit ... chief information officers and technology leaders get a ton of great features as part of a single monthly user license, but one vulnerability, one part of the technology, can present exposure to the entire technology stack.”
However, Brush added it would take a certain amount of sophistication to coordinate such an attack, so he would rate the risk of a threat due to this vulnerability as relatively low.
Microsoft and CyberArk worked together to resolve the malicious GIF issue under the former’s coordinated vulnerability disclosure process, which follows international guidelines for researchers to disclose newly discovered vulnerabilities to technology vendors and allow them to develop fixes before releasing any information to the public, to reduce the risk of others exploiting the vulnerabilities.
In a blog post in April, Microsoft 365 corporate vice-president Jared Spataro said the company processes more than 8 trillion security signals every day and uses them to proactively protect users from security threats.
Microsoft said Teams had 44 million users as of March 18, more than double the 20 million daily active users that the software maker reported in November, while competitor Zoom Video Communications’ daily active users on its video conferencing app hit 300 million last week.
San Jose-based Zoom, which has beaten Microsoft’s Skype and Teams as well as Google Hangouts to become the work-from-home app of choice for users worldwide amid the pandemic, has also faced its share of privacy and security woes.
Earlier this month, Zoom CEO Eric Yuan admitted security “missteps” that resulted in issues such as “Zoombombing”, when uninvited guests crash meetings, and some calls from the US having their data mistakenly routed through China.
While some companies and school districts have dropped the app over security concerns, Zoom’s response has reassured investors and sent shares climbing. – South China Morning Post
Did you find this article insightful?