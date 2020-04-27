The more users a software or platform has, the more interest it arouses among cybercriminals and cybersecurity analysts, so the greater the probability of detecting vulnerabilities in them. It is no wonder, therefore, that video calling applications have been the queens in this field ever since coronavirus quarantines began.

Yes rIt is less common for this kind of headlines not to star them Zoom (who, after several controversies, seems to be catching up on security), but his rival Microsoft Teams, which currently boasts the figure of 44 million daily users.

And it is that the vulnerability they have discovered in this group work app is especially striking: the mere display (no longer downloading) of a mere malicious GIF file could allow an attacker to access a user’s account (or, more usually, an entire team at the same time).

This vulnerability, which it would have potentially affected all users accessing Teams through both the desktop app and the web browser, has been discovered by a group of CyberArk Labs researchers and described on its website.

The vulnerability has been made public after being fixed

According to sources from Microsoft, the company has been working with CyberArk to carry out a coordinated disclosure of this vulnerability once this has been solved:

“We have taken measures to safeguard the safety of our clients […] although we have no record that this technique has come to be used. “

As shocking as using a GIF for these purposes is, actually this image file was only a means of exploiting a deeper vulnerability, focused on a theft of cookies after Microsoft’s loss of control of two of its poorly supervised subdomains: aadsync-test.teams.microsoft.com and data-dev.teams.microsoft.com.

“The fact that the victim only needs to see the file to be affected constitutes a nightmare from the point of view of cybersecurity”

CyberArk has not specified how they managed to get hold of those subdomains. (Yes, finding one that was useful for this attack “was not easy”), but for example in cases where the CNAME of the same points to expired domains, it is possible to redirect them to a machine controlled by the attacker.

Controlling those subdomains made it easy for Teams to send the same authentication tokens, which were modified to pass them as Skype tokens once the victim clicked on the malicious GIF (hosted in one of the subdomains in question) and facilitated access to the user’s client.

These counterfeit tokens only have valid for one hour, but it is more than enough time to steal the information (and if not, you can always send another GIF).

It was precisely this problem of sending tokens that Microsoft had to solve to prevent cybercriminals from now making use of the technique discovered by CyberArk. In any case, if you are a user of the application and have recently received a GIF that makes you doubt its legitimacy, the best thing is that you heal yourself in health changing your access data to your account.

