Microsoft Teams is not quite the Team Player we thought

The folks at CyberArk uncovered a new vulnerability in Microsoft Teams. In Beware of the GIF: Account Takeover Vulnerability in Microsoft Teams, they investigate a serious security hole in Teams that could threaten your organization and provide access to confidential information. Fortunately, Microsoft has, in theory, patched this vulnerability thanks to locking down any vulnerable Microsoft Teams servers.

This is a startling development considering how I’ve had to defend Zoom with respect to its long-ago patched UNC Path vulnerability. Now, we find out that by intercepting the traffic during the sending of images like a Gif, an attacker can subvert a computer’s security, intercept a victims access tokens, and impersonate the victim to begin a social engineering attack.

The basic process is the attacker can use Fiddler to intercept a benign image being transmitted. Since the image is transmitted via its URI, the attacker can modify the packet that transmits the benign URI and change the source domain to come from a compromised Microsoft Teams server.

Next, the attacker needs to intercept traffic to the compromised Microsoft Teams servers. Once the victim loads the image in his Teams viewer, the victim’s computer transmits his authentication tokens to the compromised server and thus the attacker has the users credentials.

The main solution is to lock down any vulnerable servers in the Microsoft Teams subnet. However, it is interesting that Teams uses a REST API with JWT. This is a very common authentication method and one used by OAuth Authentication. I have developed a number of software components that use JWT from OAuth and use those tokens to make connections to various web services I typically use, like meetup and Google Drive.

Microsoft Teams uses two JWT. First, the user gets an authentication token, and with that, the user can get the session token called skypetoken_asm. Both tokens are required by the Microsoft REST API to communicate with the server. The interesting thing, though, is that the second token is called Skype Token. A few years ago Microsoft bought Skype. At the time, people speculated why and of course with Microsoft Teams, I thought it might be leverage Microsoft with its own video conferencing platform. The question was, was Microsoft Teams based on Skype? It looks like at least in part, the answer is yes.

Below, you can watch a video of how this attack might actually work.

Beware of the GIF: Account Takeover Vulnerability in Microsoft Teams | CyberArk

So, be careful what video conferencing system you use. Clearly, Zoom isn’t perfect, but neither is Microsoft, and neither is Google likely to be. There is no reason to pick on any of them. All three are working hard to patch vulnerabilities as soon as they’re found. Just, try to keep your software up to date. And that’s my latest deep dive into Video Conferencing security. If you like what you’ve read, I’m available and eager for hire.