Bug Allowed Hackers To Steal Teams Data Via GIF Image

Microsoft has issued fixes for a security vulnerability that could have allowed attackers to take over accounts and steal data from the Teams groupware application, using a simple GIF image.

The issue was discovered just as Teams, like Zoom and other online business communications tools, showed a huge surge in usage due to the various coronavirus lockdowns being imposed around the world.

CyberArk found that two Microsoft subdomains used for authenticating Teams users were vulnerable to being accessed by attackers.

This could be exploited along with the use of a malicious GIF file to give attackers access to two key authentication tokens, effectively allowing them full access to a given Teams account.

Data theft

The attack could have allowed malicious users to send and read messages, create groups, add or remove users from groups, change permissions, as well as other actions.

It wasn’t necessary for a user to click on a link, merely to view an image in order for the attack to work.

This fact, along with the broad access granted by a successful attack, meant hackers could use compromised accounts to automatically launch attacks on other contacts, taking over entire Teams groups.

“Every account that could have been impacted by this vulnerability could also be a spreading point to all other company accounts,” CyberArk said in an advisory.

Both the desktop and web browser versions of Teams were affected.

The firm discovered that Teams creates new authentication tokens each time a user logs in, storing the tokens in various Microsoft subdomains.

Two of those subdomains were vulnerable to being taken over by attackers, although the take over process was complex, involving issuing a security certificate for the compromised subdomain and proving ownership by uploading a file to a specific path.

Once the subdomain had been taken over, it was possible to trick the user’s computer into visiting the compromised subdomain by viewing an image, such as the GIF pictures routinely shared amongst users.

That gave the attacker access to an authentication token, allowing them in turn to create another token, called a Skype token.

Security fix

“After doing all of this, the attacker can steal the victim’s Teams account data,” CyberArk said.

Companies are currently sharing far more corporate data than usual over apps such as Teams as more staff work from home, making such an attack more attractive than usual, the firm said.

“Covid-19 has forced many companies to move to full-time remote work – leading to a significant uptick in the number of users that use Teams or platforms like it,” CyberArk said.

“Even if an attacker doesn’t gather much information from a Teams’ account, they could use the account to traverse throughout an organisation.”

The firm released proof-of-concept code showing how such an attack would work, along with a script for scraping Teams conversations.

It reported the issue to Microsoft on 23 March, and on the same day Microsoft corrected the DNS misconfiguration that allowed the attack to function.

Last week Microsoft released a patch for Teams aimed at preventing further vulnerabilities of the same kind.