Microsoft fixes leak in Teams that allowed account takeover via domain takeover

Microsoft has patched a vulnerability in Teams working platform that allowed attackers to take over all accounts in a subdomain by sending a file. The leak was in both the desktop and web versions.

The vulnerability was discovered by security firm CyberArk. The researchers discovered that Teams accounts within a group could be taken over by having an authentication token generated for the domain used. Every time Teams is opened, a new temporary access token is generated. Restrictions are imposed on who can log in via cookies. One of those cookies was forwarded to subdomains of teams.microsoft.com. That subdomain was vulnerable to a takeover, CyberArk discovered.

The subdomain’s ability to be inherited allowed the attackers to steal authentication tokens if users were routed to the subdomain. This could be done, for example, by letting them click on an infected link. However, the researchers also found a way to send a gif file that would allow the authentication token to be automatically generated and forwarded to the subdomain. For that, users only had to view the gif. It was then possible to steal the token from any Teams user who viewed it. Although CyberArk only talks about gifs, tweaker seba notes that the attack can be exploited with any kind of file.

The leak was in the web version and the desktop download of Teams. CyberArk reported the leak to Microsoft a month ago. The company has since fixed the vulnerability. According to Microsoft, there is no indication that the vulnerability has been actively exploited.