Viewing a GIF in Microsoft Teams Triggered Hijacking of User Accounts

This is another instance where attackers are taking advantage of the Coronavirus outbreak to exploit the key technologies that companies are using to remain connected. First, it was Zoom, and now, Microsoft Teams of Microsoft 365 Office.

Microsoft has now resolved the security trouble in Microsoft Teams, which could have potentially lead to taking over all the user account information, just with the help of.GIF file. It has the density to impact Microsoft Teams’ desktop app as well as the web browser version, equally.

During CyberArk’s examination of the platform, the research team found out that whenever the application gets opened, the Teams clients create a new temporary access token, which is authenticated via login.microsoftonline.com. More tokens are generated to access supported services such as SharePoint and Outlook.

Generally, there are two cookies used to restrict content access, “authtoken” and “skypetoken_asm.” The Skype token was further sent to Microsoft Teams and subdomains. From these subdomains, two were found to be vulnerable to a subdomain takeover. “If an attacker can somehow force a user to visit the subdomains that have been taken over, the victim’s browser will send this cookie to the attacker’s server, and the attacker (after receiving the authtoken) can create a Skype token,” the research team says. “After doing all of this, the attacker can steal the victim’s Team’s account data.”

CyberArk released Proof-of-Concept (PoC) code that demonstrates how an attack could have taken place. Also, it launched a script that could be used to scrape Microsoft Teams conversations.

Users wouldn’t have to share the GIF, just had to see it, for it to make a long-lasting impact. Vulnerabilities like this over an overcrowded platform with millions of users can spread automatically. It would have affected everyone using the Teams’ browser or desktop version.

CyberArk, in response to the threat, has worked with Microsoft Security Research Center (MSRC) under the Coordinated Vulnerability Disclosure (CVD) to fix the issue. The flaw was reported on March 23, 2020. On the same day, the Redmond giant corrected the misconfigured DNS records of the two subdomains needed to trigger the takeover of accounts. And just after a month, on April 20, 2020, a patch was released to mitigate the risk of similar bugs that could come up in the future.

“COVID-19 has forced many companies to move to full-time remote work — leading to a significant uptick in the number of users that use Teams or platforms like it. Even if an attacker doesn’t gather much information from a Teams’ account, they could use the account to traverse throughout an organization,” CyberArk says.

In response to the mitigated risk, a spokesperson of ZDNet said, “We addressed the issue discussed in this blog and worked with the researcher under Coordinated Vulnerability Disclosure. While we have not seen any use of this technique in the wild, we have taken steps to keep our customers safe.”