Share a GIF, Share a Hack
Microsoft says they’ve fixed a vulnerability that allowed Microsoft Teams to be hacked via a .GIF file. CyberArk published their findings on April 27th regarding a subdomain takeover that can leave Microsoft Teams open to intrusion. The breach works on both the desktop and web versions of the programs.
Here’s how it works. First, you open Teams and it creates a temporary access token. Next, other tokens are created to support services in Teams. There are two cookies, however, used to restrict permissions. The restrictive token is then sent to Teams and its subdomains.
This is where, if the hacker can force the user to visit the subdomain, the hack happens. Cookies are sent to the attackers server. The attacker can then gain permissions with those authentication cookies.
This attack chain is complex, but can be done by sending a malicious link or a .GIF to that vulnerable subdomain. Clicking on it allows the hacker, now armed with authentication, to generate a token to access the user’s Teams sessions.
Hacking into a Teams session is incredibly valuable for a hacker looking for inside secrets, documents, company files, or a host of other information that can be leveraged for money.
Huh?
To clarify, that was a very fancy way of saying a hacker can use the different ways a program accesses your machine to hack into it. Microsoft has patched that vulnerability. Even the most elaborate ways into a machine should be explored, exploited in a controlled environment, and fixed. This way the less technically inclined aren’t accidentally finding themselves compromising their company secrets.
Above all, this is another example of why you need to keep your systems updated as soon as the patch is released. There will always be vulnerabilities. As long as you’re updated and using common sense, you have a good chance of staying ahead of the bad guys.
Stay safe.
