Bug Allowed Hackers To Steal Teams Data Via GIF Image

Microsoft has issued fixes for a security vulnerability that could have allowed attackers to take over accounts and steal data from the Teams groupware application, using a simple GIF image.

The issue was discovered just as Teams, like Zoom and other online business communications tools, showed a huge surge in usage due to the various coronavirus lockdowns being imposed around the world.

CyberArk found that two Microsoft subdomains used for authenticating Teams users were vulnerable to being accessed by attackers.

This could be exploited along with the use of a malicious GIF file to give attackers access to two key authentication tokens, effectively allowing them full access to a given Teams account.

Data theft

The attack could have allowed malicious users to send and read messages, create groups, add or remove users from groups, change permissions, as well as other actions.

It wasn’t necessary for a user to click on a link, merely to view an image in order for the attack to work.

This fact, along with the broad access granted by a successful attack, meant hackers could use compromised accounts to automatically launch attacks on other contacts, taking over entire Teams groups.

“Every account that could have been impacted by this vulnerability could also be a spreading point to all other company accounts,” CyberArk said in an advisory.

Both the desktop and web browser versions of Teams were affected.

The firm discovered that Teams creates new authentication tokens each time a user logs in, storing the tokens in various Microsoft subdomains.

Two of those subdomains were vulnerable to being taken over by attackers, although the take over process was complex, involving issuing a security certificate for the compromised subdomain and proving ownership by uploading a file to a specific path.

Once the subdomain had been taken over, it was possible to trick the user’s computer into visiting the compromised subdomain by viewing an image, such as the GIF pictures routinely shared amongst users.

That gave the attacker access to an authentication token, allowing them in turn to create another token, called a Skype token.

Security fix

“After doing all of this, the attacker can steal the victim’s Teams account data,” CyberArk said.

Companies are currently sharing far more corporate data than usual over apps such as Teams as more staff work from home, making such an attack more attractive than usual, the firm said.

“Covid-19 has forced many companies to move to full-time remote work – leading to a significant uptick in the number of users that use Teams or platforms like it,” CyberArk said.

“Even if an attacker doesn’t gather much information from a Teams’ account, they could use the account to traverse throughout an organisation.”

The firm released proof-of-concept code showing how such an attack would work, along with a script for scraping Teams conversations.

It reported the issue to Microsoft on 23 March, and on the same day Microsoft corrected the DNS misconfiguration that allowed the attack to function.

Last week Microsoft released a patch for Teams aimed at preventing further vulnerabilities of the same kind.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Tesla Wins Case Against Former Staffer Who Stole Data

Tesla wins court case against former employee at Tesla's Giga Nevada factory, who hacked systems…

21 hours ago

Patient Dies In Germany After Hospital Ransomware Attack

Real world consequence of ransomware attacks. A female patient has died as a result of…

1 day ago

Tesla Driver Charged For Sleeping As Car Drove At 90mph

Unbelievable! Driver in Canada charged with dangerous driving, after he slept in fully reclined seat…

1 day ago

ByteDance Majority Stake Puts Oracle-TikTok Deal At Risk – Report

Plan to keep majority stake in TikTok, will hinder White House approval reports suggest, as…

2 days ago

Nintendo Shuts the Lid On 3DS

Nearly a decade after it first launched, Japanese gaming giant Nintendo discontinues its popular 3DS…

2 days ago

Aussie Regulator Refuses To Back Down After Facebook News Warning

Blunt warning from Facebook about blocking news sharing down under, receives equally blunt response from…

2 days ago