Microsoft patches Teams vulnerability that allowed for account takeover just by viewing a GIF
A security flaw in Microsoft Teams made it possible for attackers to take over accounts just by getting a victim to view a GIF. The vulnerability stemmed from the way in which Teams handles images and could allow for account takeovers and data theft.
Security firm CyberArk discovered the issue over a month ago and then worked with the Microsoft Security Research Center under Coordinated Vulnerability Disclosure to get the vulnerability fixed. With COVID-19 leading to a huge increase in the number of people working remotely and relying on the likes of Zoom and Teams, the prospect of such an easily exploitable vulnerability is concerning.
- Microsoft Edge ads appear in Windows 10 search
- Microsoft is bombarding Chrome-using Outlook.com visitors with ads for Edge
- How to download the Windows 10 May 2020 Update ISO right now
CyberArk showed how it was possible to use a compromised subdomain to host images and steal security tokens when a user views an image. What is particularly worrying about the attack is that it is completely invisible, and looking at an image is all it took for an attack to be carried out.
The security company explains how the attack works:
We found that the two following subdomains were vulnerable to a subdomain takeover:
If an attacker can somehow force a user to visit the sub-domains that have been taken over, the victim's browser will send this cookie to the attacker’s server and the attacker (after receiving the authtoken) can create a skype token. After doing all of this, the attacker can steal the victim's Teams account data.
In terms of exploiting this vulnerability, there are a few steps that the attacker needs to go through.
First, the attacker needs to issue a certificate for the compromised sub-domains. The reason for this is that the "authtoken" cookie is flagged as secure, which means that the browser will only send this cookie via a secure channel -- HTTPS.
But, that shouldn't be a problem, because the certificate issuers will issue a valid certificate if you can prove that you are the owner of this domain or, in our case, the subdomain.
One of the ways to prove that you are the rightful owner is by uploading a file to a specific path and, because the compromised subdomain points to the attacker's server, they can pass this challenge very easily.
The security researchers warn that "the victim will never know that they've been attacked, making the exploitation of this vulnerability stealthy and dangerous".
While there is no evidence to suggest that the vulnerability was exploited, similar problems could exist on other platforms.
A detailed write-up of the vulnerability can be found on the CyberArk website. Microsoft patched the issue a few days ago, so it's a good time to make sure that you have updated to the very latest version of Teams.