Critical vulnerability in Microsoft Teams could lead to data theft by just looking at a picture

News by Rene Millman

Malicious Gif sent to victims could let malware scrape data in Microsoft Teams and spread to other groups.

Security researchers have discovered a critical security vulnerability in Microsoft Teams desktop and browser instances which could lead to widespread data theft campaigns, compromised credentials, ransomware attacks and corporate espionage.

According to a blog post by CyberArk, researchers found that by that leveraging a subdomain takeover vulnerability in Microsoft Teams, attackers could have used a malicious GIF to scrape user's data and ultimately take over an organisation’s entire roster of Teams accounts. As users wouldn’t have to share the GIF – just see it --to be impacted, it has the ability to spread automatically.

Researchers said that the vulnerability would have affected every user who uses the Teams desktop or web browser version.

The flaw lies in the way Teams passes the authentication access token to image resources. Every time Teams is opened, the client creates a new temporary token or access token. This access token, in the form of JWT, is created by Microsoft’s authorisation and the authentication server – “login.microsoftonline.com.“

The Teams client uses one of the created tokens to allow a user to see images shared with them or by them, as those images are stored on Microsoft’s servers which applies authorisation control. This token called “skype token,” can also be seen as a cookie named “skypetoken_asm.” Microsoft validates both the authtoken and a second Skype token via *.teams.microsoft.com.

Researchers found two vulnerable Microsoft subdomains “aadsync-test.teams.microsoft.com” and “data-dev.teams.microsoft.com”.

“If an attacker can somehow force a user to visit the sub-domains that have been taken over, the victim’s browser will send this cookie to the attacker’s server, and the attacker (after receiving the authtoken) can create a skype token. After doing all of this, the attacker can steal the victim’s Teams account data,” researchers said.

Researchers created a proof of concept that only needs to the victim to view the Gif for the attack to work.

“The fact that the victim needs only to see the crafted message to be impacted is a nightmare from a security perspective. Every account that could have been impacted by this vulnerability could also have been a spreading point to all other company accounts. The vulnerability can also be sent to groups (a.k.a Teams), which makes it even easier for an attacker to get control over users faster and with fewer steps,” said researchers.

Researchers said that they worked with Microsoft Security Research Center under Coordinated Vulnerability Disclosure after finding the account takeover vulnerability. Microsoft quickly deleted the misconfigured DNS records of the two subdomains, which were exposed to take over.

Matt Aldridge, principal solutions architect at Webroot, told SC Media UK that the remote working policies should be reviewed, and cross checked for any security or privacy compliance risks as the user numbers scale up.

“Monitoring and detection will need to be improved accordingly. There will be pressure on IT teams to get more users, better, faster and more secure access into their systems remotely, but this should not come at the expense of security and cyber resilience as a whole,” he said.

Jake Moore, cyber-security specialist at ESET, told SC Media UK that it is interesting that the vulnerability lies in the more colloquial portion of the platform.  

“Fighting off strong competition, Teams has been able to hold its head high amongst the fierce battle of whose video conferencing app is the best. Teams has long prided itself on security but has possibly let a vulnerability slip through the net in the form of a GIF. Unless this is patched quickly, I would suggest businesses stick to the more formal procedure on Teams with no added GIF functionality for now,” he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews