This is how viewing a GIF in Microsoft Teams triggered account hijacking bug

Seeing an animation was enough to be impacted, researchers say.

Zoom or Teams? Virtual parliament puts remote working to the test

Microsoft has resolved security problems in Microsoft Teams that could have been used in an attack chain to take over user accounts -- all with the help of a .GIF file. 

On Monday, cybersecurity researchers from CyberArk said a subdomain takeover vulnerability, combined with a malicious .GIF file, could be used to "scrape a user's data and ultimately take over an organization's entire roster of Teams accounts.'

The team says the security issues impact Microsoft Teams on desktop as well as the web browser version.

Microsoft's communications platform is enjoying an expanded customer base alongside rival services such as Zoom and GoToMeeting due to the COVID-19 outbreak. Microsoft Teams is being employed in keeping businesses operational, which includes the sharing of corporate data, and may, therefore, be of renewed interest to cyberattackers in light of the current circumstances. 

See also: Microsoft: Here's how we're trying to manage increased cloud demand

During CyberArk's examination of the platform, the team found that every time the application was opened, the Teams client creates a new temporary access token, authenticated via login.microsoftonline.com. Other tokens are also generated to access supported services such as SharePoint and Outlook.

Two cookies are used to restrict content access permissions, "authtoken" and "skypetoken_asm." The Skype token was sent to teams.microsoft.com and its subdomains -- two of which were found to be vulnerable to a subdomain takeover. 

"If an attacker can somehow force a user to visit the subdomains that have been taken over, the victim's browser will send this cookie to the attacker's server, and the attacker (after receiving the authtoken) can create a Skype token," the team says. "After doing all of this, the attacker can steal the victim's Teams account data."

CNET: These anti-quarantine websites are fakes. Here's what they're really after

However, the attack chain is complex, as it was necessary for an attacker to issue a certificate for the compromised subdomains, only possible by 'proving' ownership by tests such as uploading a file to a specific path. 

As the subdomains were already vulnerable, this challenge was overcome -- and by sending either a malicious link to the subdomain or by sending a team a .GIF file, this could lead to the generation of the required token to compromise a victim's Teams session by a newly-authenticated attacker. As the image only had to be viewed, this could impact more than one individual at a time. 

screenshot-2020-04-26-at-14-38-36.png

CyberArk released proof-of-concept (PoC) code demonstrating how attacks could have taken place, alongside a script that could be used to scrape Teams conversations. 

screenshot-2020-04-26-at-14-39-06.png

TechRepublic: Coronavirus-themed phishing attacks aim to capture banking credentials

"COVID-19 has forced many companies to move to full-time remote work -- leading to a significant uptick in the number of users that use Teams or platforms like it," CyberArk says. "Even if an attacker doesn't gather much information from a Teams' account, they could use the account to traverse throughout an organization."

The researchers worked with the Microsoft Security Response Center (MSRC) under the Coordinated Vulnerability Disclosure (CVD) program to report their findings.  

CyberArk reported the security flaw on March 23. On the same day, the Redmond giant corrected the misconfigured DNS records of the two subdomains required to trigger the takeover of accounts. On April 20, Microsoft also released a patch to mitigate the risk of similar bugs in the future. 

A Microsoft spokesperson told ZDNet:

"We addressed the issue discussed in this blog and worked with the researcher under Coordinated Vulnerability Disclosure. While we have not seen any use of this technique in the wild, we have taken steps to keep our customers safe."

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0