Life, the universe and why proper DNS recon is important

So in the midst of the recent COVID-19 pandemic :mask: its been interesting to see more and more businesses embrace remote tools for communication. Heck, we invented new terms like zoombombing to discuss the insecurity of many of these. Companies like Zoom even saw a drop in stock price as people started to show concerns for some of its security issues.

People swarmed to alternativesā€¦ like Microsoft Teams instead. It must be secure, right?

Wellā€¦ not so fast. With enough money and motive, anything can be breached. And a recent disclosure shows us why its important to properly do recon and look for subdomain take over opportunities. STO itself isnā€™t always that interestingā€¦ but when chained properlyā€¦ it has real damage potential that can increase your bounties when demonstrated correctly.

Think about this recent Teams vuln. Being able to extract the authtoken by parking a GIF as a malicious link on a subdomain inside a chat led to getting a JWT for api.spaces.skype.com. That in itself isnā€™t all that sexy, but the fact you could then hit that endpoint and grab the skype token which allows you access to their account dataā€¦ jackpot.

Read the disclosure for more depth into this attack. But the point is madeā€¦ make sure you do your recon for STO. You never know where it may lead.

Thoughts? Who here canā€™t be bothered with STO? Rethinking that now?

P.S. Watch the PoC vid in the disclosure. Rather entertaining.

2 Likes