Arthur T Knackerbracket has found the following story:
Microsoft has fixed a subdomain takeover vulnerability in its collaboration platform Microsoft Teams that could [have] allowed an inside attacker to weaponized a single GIF image and use it to pilfer data from targeted systems and take over all of an organization’s Teams accounts.
The attack simply involved tricking a victim into viewing a malicious GIF image for it to work, according to researchers at CyberArk who also created a proof-of-concept (PoC) of the attack.
Microsoft neutralized the threat last Monday, updating misconfigured DNS records, after researchers reported the vulnerability on March 23.“Even if an attacker doesn’t gather much information from a [compromised] Teams’ account, they could use the account to traverse throughout an organization (just like a worm),” wrote Omer Tsarfati, CyberArk cyber security researcher, in a technical breakdown of its discovery Monday. “Eventually, the attacker could access all the data from your organization Teams accounts – gathering confidential information, competitive data, secrets, passwords, private information, business plans, etc.”
The attack involves malicious actors being able to abuse a JSON Web Token (“authtoken”) and a second “skype token”. The combination of these two tokens are used by Microsoft to allow a Teams user to see images shared with them – or by them – across different Microsoft servers and services such as SharePoint and Outlook.
[...] “Now with both tokens, the access token (authtoken) and the Skype token, [an attacker] will be able to make APIs calls/actions through Teams API interfaces – letting you send messages, read messages, create groups, add new users or remove users from groups, change permissions in groups,” researchers wrote.
[...] Researchers [...] said Microsoft quickly deleted the misconfigured DNS records of the two subdomains, which mitigated the problem.
(Score: 5, Insightful) by Rosco P. Coltrane on Monday April 27 2020, @07:39PM (3 children)
Just don't put confidential information, competitive data, secrets, passwords, private information or business plans on the fucking cloud, use Teams as the overhyped IRC client it is and you'll be fine.
(Score: 1, Informative) by Anonymous Coward on Monday April 27 2020, @08:07PM (1 child)
Easier solution...
Make all MS staff use Linux workstations/servers.
(Score: 0, Troll) by Anonymous Coward on Monday April 27 2020, @08:29PM
Wouldn't fix anything. Might make stuff worse due to lack of experience and resultant misconfigurations.
(Score: 5, Funny) by driverless on Tuesday April 28 2020, @02:15AM
So the lesson is "Beware of geeks bearing GIFs"?
(Score: 1, Informative) by Anonymous Coward on Monday April 27 2020, @07:45PM
The link to the technical breakdown got borked: https://www.cyberark.com/threat-research-blog/beware-of-the-gif-account-takeover-vulnerability-in-microsoft-teams/ [cyberark.com]
(Score: 2, Insightful) by Anonymous Coward on Monday April 27 2020, @07:50PM (4 children)
How can anyone in their right mind think of using Teams with security holes like this. Complete amateurs. Can anyone recommend an alternative that isn't so rife with poorly written code?
(Score: 1, Interesting) by Anonymous Coward on Monday April 27 2020, @09:32PM (2 children)
What are the other options? Honest question.
(Score: 1, Informative) by Anonymous Coward on Monday April 27 2020, @11:29PM
jitsi, matrix.org
search soylent [soylentnews.org], we have a thread about exactly this here: https://soylentnews.org/article.pl?sid=20/04/17/2115227 [soylentnews.org]
(Score: 0) by Anonymous Coward on Tuesday April 28 2020, @04:07AM
Discord
MatterMost
Yammer
Slack
(Score: 2, Funny) by Anonymous Coward on Monday April 27 2020, @10:57PM
They need to take one for the Teams.
(Score: 1, Touché) by Anonymous Coward on Monday April 27 2020, @11:27PM (2 children)
The gif isn't weaponized. It's literally "any old image" and the exploit shuffles creds around including to two controllable MS subdomains (under *.teams.microsoft.com). MS's first fix was just to deny non-MS actors control of those domains. It's a very good exercise in application-level protocol analysis, but there's nothing special at all about the images used. A different remote resource would work just as well, images are simply convenient in that they're automatically displayed (and therefore automatically loaded).
(Score: 0) by Anonymous Coward on Tuesday April 28 2020, @12:11PM (1 child)
The two halves of this sentence contradict each other. Different remote resources wouldn't work as well since they aren't automatically loaded.
(Score: 0) by Anonymous Coward on Wednesday April 29 2020, @09:18AM
What? Functioning vs. availability mean anything to you?
Loading any other remote resource would have worked just as well at that step of this exploit. Functionally images are no different. Images are a convenient type of resource but are not in any other way integral to the exploit. Availability makes them a convenient exemplar. That seemed very clear in GP.
(Score: 1, Insightful) by Anonymous Coward on Tuesday April 28 2020, @12:16AM (1 child)
"Windows", you say? Security issue? Rather odd, never heard of security issues with Windows before, especially Microsoft Windows. What will they think of next?
(Score: 0) by Anonymous Coward on Tuesday April 28 2020, @12:41PM
Injecting disinfectants and scarring lung tissue with UV light.