Teams vulnerability fixed that allowed a GIF to hijack people’s accounts
A vulnerability in Microsoft Teams has been fixed, protecting people from malicious links and GIFS that could be used to access people’s data (via Neowin). The vulnerability was discovered by CyberArk, which worked with Microsoft to fix the issue. The security flaw was present in both the desktop and web browser versions of Microsoft Teams.
Taking advantage of the vulnerability would require a sophisticated form of attack. To access someone’s data, an attacker would have had to create and share a malicious link or GIF that someone opened within Microsoft Teams. Notably, a link would have had to be opened, whereas a GIF would just need to be viewed within the communication app. Opening the malicious content within Teams would then send an authentication token to a server controlled by the attacker. Using that data, an attacker could read people’s messages, send messages pretending to be a person, create groups, and control the Teams account in several other ways.
An attacker could automate the process and send attacks that would work their way through an entire organization. Here is a portion of CyberArk’s conclusions about the vulnerability:
Even if an attacker doesn’t gather much information from a Teams’ account, they could still use the account to traverse throughout an organization (just like a worm). Eventually, the attacker could access all the data from your organization’s Teams accounts – gathering confidential information, meetings and calenders information, competitive data, secrets, passwords, private information, business plans, etc.
Maybe even more disturbing, they could also exploit this vulnerability to send false information to employees – impersonating a company’s most trusted leadership – leading to financial damage, confusion, direct data leakage, and more.
A Microsoft spokesperson told SecurityWeek, “We addressed the issue discussed in this blog and worked with the researcher under Coordinated Vulnerability Disclosure. While we have not seen any use of this technique in the wild, we have taken steps to keep our customers safe.”
The vulnerability relies on an attacker gaining access to subdomains that are open to attack. CyberArk found two subdomains that could be used in an attack, but Microsoft states that these subdomains cannot be exploited anymore.
CyberArk told SecurityWeek that it believes the same attack tactics could still work if someone found a subdomain that could be hijacked, though that’s not an easy task, according to CyberArk.
