Microsoft Teams Account Hijacking Linked To This Malicious GIF Attack

Microsoft Teams
Microsoft has patched a vulnerability in its Teams software that could have allowed an attacker to infiltrate compromised systems, steal data, and even take control of an entire organization's accounts. What makes the security flaw somewhat unique is that all of the dastardly deeds could have been accomplished with a just an animated GIF.

Users within the organization wouldn't even need to share the infected GIF—just viewing it would be enough for it to work its malicious mojo. The attack itself was leveraged in a subdomain takeover vulnerability in Teams, and prior to being patched, would have affected every user who users the Teams desktop or web browser version.

"Without getting into too many technical details, every time you open Teams, your client creates a new temporary token or access token. This access token, in the form of JWT [JSON Web Token], is created by Microsoft’s authorization and the authentication server—'login.microsoftonline.com'," CyberArk explains in a blog post.

This is where the trouble could be found. Loading images is a bit more complicated, and to solve the problem, Teams uses cookies called "authtoken" and "skypetoken_asm," and two of the subdomains they get sent to were previously found to be vulnerable to a takeover attack.

"If an attacker can somehow force a user to visit the subdomains that have been taken over, the victim's browser will send this cookie to the attacker's server, and the attacker (after receiving the authtoken) can create a Skype token. After doing all of this, the attacker can steal the victim's Teams account data," CyberArk added.

Microsoft was made aware of the issue in March and promptly corrected the misconfigured DNS records that made this attack possible. It then issued a patch last Monday to further protect users from this kind of attack.

It's not clear if this was ever actively exploited. However, it underscores the increased scrutiny that video conferencing platforms are under with more people working from home in light of COVID-19. Zoom, for example, has seen its share of security and privacy missteps, and recently addressed many of those issues with a 5.0 update.

Top Image Source: CyberArk

Show comments blog comments powered by Disqus