News

Microsoft patches Teams against image-based account takeover flaw

Malicious gifs that produced cookies could be used to access an entire organisation's accounts

27 Apr 2020

.polaris__post-meta--date { display: none; } .polaris__post-meta--date.no-script { display: block; padding-left: 45px } 27 Apr 2020

Teams

Microsoft has moved fast to patch a vulnerability that let hackers take over Teams accounts simply by sharing malicious gifs.

The issue could have potentially affected every user that uses Microsoft Teams on desktop or in a web browser, according to CyberArk, which worked with the tech giant's security research centre.

The hack is essentially a subdomain takeover whereby attackers use a gif to scrape user data and gain control of an entire organisations' Teams accounts as it's shared through the service.

This is an exploit of the way Teams passes authentication access tokens to image resources. Every time a user opens the app a temporary token is created in the form of a JESON Web Token (JWT). These allow other users to see images shared with them or by them, as they are stored on a Microsoft server. A user only has to see the image for the attack to start spreading automatically.

This creates two cookies that allow hackers to make calls through the Teams APIs as well as have complete control over an account. This includes being able to read and send messages, create groups, add or remove participants and change permissions.

The only hurdle to the attack is that "authtoken" can only be used with a subdomain.

"If an attacker can somehow force a user to visit the sub-domains that have been taken over, the victim's browser will send this cookie to the attacker's server, and the attacker (after receiving the authtoken) can create a skype token," CyberArk explained in a blog post. "After doing all of this, the attacker can steal the victim's Teams account data"

Microsoft has patched the issue after being alerted to the threat via its vulnerability disclosure program. The tech giant deleted misconfigured DNS records that allowed the attackers to gain control of the subdomains.

Featured Resources

The Total Economic Impact™ Of Turbonomic Application Resource Management for IBM Cloud® Paks

Business benefits and cost savings enabled by IBM Turbonomic Application Resource Management

.imgHideOnJavaScriptDisabled_https://media.itpro.co.uk//image/upload/f_auto,t_resource-card-mobile@1/v1657121646/itpro/Whitepaper%20covers/The_Total_Economic_Impact_of_IBM_Turbonomic_Application_Resource_Management.jpg { display: none !important; }

Free Download

The Total Economic Impact™ of IBM Watson Assistant

Cost savings and business benefits enabled by Watson Assistant

.imgHideOnJavaScriptDisabled_https://media.itpro.co.uk//image/upload/f_auto,t_resource-card-mobile@1/v1647522589/itpro/Whitepaper%20covers/Total_Economic_Impact_Report_Watson_Assistant_thumb.jpg { display: none !important; }

Free Download

The field guide to application modernisation

Moving forward with your enterprise application portfolio

.imgHideOnJavaScriptDisabled_https://media.itpro.co.uk//image/upload/f_auto,t_resource-card-mobile@1/v1657123342/itpro/Whitepaper%20covers/Field_Guide_to_Application_Modernization_on_IBM_Power.jpg { display: none !important; }

Free Download

AI for customer service

Discover the industry-leading AI platform that customers and employees want to use

.imgHideOnJavaScriptDisabled_https://media.itpro.co.uk//image/upload/f_auto,t_resource-card-mobile@1/v1657097343/itpro/Whitepaper%20covers/AI_for_Customer_Service_Smartpaper_Thumbnail.jpg { display: none !important; }

Free Download