So in the midst of the recent COVID-19 pandemic its been interesting to see more and more businesses embrace remote tools for communication. Heck, we invented new terms like zoombombing to discuss the insecurity of many of these. Companies like Zoom even saw a drop in stock price as people started to show concerns for some of its security issues.
People swarmed to alternatives… like Microsoft Teams instead. It must be secure, right?
Well… not so fast. With enough money and motive, anything can be breached. And a recent disclosure shows us why its important to properly do recon and look for subdomain take over opportunities. STO itself isn’t always that interesting… but when chained properly… it has real damage potential that can increase your bounties when demonstrated correctly.
Think about this recent Teams vuln. Being able to extract the authtoken by parking a GIF as a malicious link on a subdomain inside a chat led to getting a JWT for api.spaces.skype.com. That in itself isn’t all that sexy, but the fact you could then hit that endpoint and grab the skype token which allows you access to their account data… jackpot.
Read the disclosure for more depth into this attack. But the point is made… make sure you do your recon for STO. You never know where it may lead.
Thoughts? Who here can’t be bothered with STO? Rethinking that now?
P.S. Watch the PoC vid in the disclosure. Rather entertaining.