In a previous post regarding Subdomain takeovers the term was explained, and in a subsequent post there was a demo showing it in action. Although being quite a severe issue and companies being affected, generally these haven’t been a subject on news related sites.
However, recently it was revealed that Security Researchers at CyberArk found Microsoft had experienced the issue which affected their Teams product, of which Microsoft responsibly disclosed on March 23rd.
CyberArk first discovered that there was a token “authtoken” which allows the creation of an additional token “skypetoken” to access the victim’s data. You may wonder how would it would be possible to get hold of this token?
The Security Researchers at CyberArk discovered two subdomains which could be overtaken. With this knowledge and due to the way the authentication works when accessing image resources, the “authtoken” could be leaked by sending the victim (or multiple victims within a group) an image, and this image would be loaded from the overtaken subdomains.
In parallel, the “authtoken” would be sent along with the “skypetoken” back to the attacker. Then the attacker would be able to access the victim’s data.
Microsoft patched this vulnerability in an update release on April 20th and removed the affected DNS records. However, as video conferencing has increased due to the Covid 19 pandemic, and a large portion of workers having to work from home, there has been a considerable increase in attacks that take advantage of the new landscape.