News Hub

Microsoft fixes ‘Evil Gif’ vulnerability in Teams

Written by Mon 27 Apr 2020

Vulnerability could have “spread like a worm” through an organisation

Cyber security researchers have claimed hackers could have compromised an organisation’s entire roster of Microsoft Teams accounts by sending a malicious gif.

According to CyberArk, which published the research Monday, a subdomain takeover vulnerability in the popular communication and collaboration tool could have been exploited by hackers to scrape a user’s data and steadily infiltrate an organisation’s Teams portfolio.

The researchers said users wouldn’t even have had to share the GIF to be affected, only to view it, meaning it could have spread like wildfire throughout a company if left unchecked. The vulnerability affected both the desktop and browser versions of Teams.

After discovering the account takeover vulnerability, the cyber security company worked Microsoft Security Research Center behind the scenes to plug the flaw and Microsoft has now issued a fix.

Taking one for the Teams

The vulnerability leveraged the way Microsoft Teams secures media sharing between users to exploit two vulnerable Microsoft subdomains.

There are a number of ways to go about governing access restrictions for images and other content in an application like Teams. Microsoft Teams creates two cookies, called “authtoken” and “skypetoken_asm”, to handle the task.

After some further digging, CyberArk discovered that if a hacker had access to both tokens they could execute API actions through Teams’ API interfaces, letting them send and read messages, create groups, add and remove users and permissions – basically the keys to the kingdom.

The researchers then discovered that by sending an image with the “src” attribute set to a compromised sub-domain via Teams chat, an attacker could have gotten their hands on both tokens, ultimately enabling the attacker to scrape all of a victim’s data. The researchers demonstrated this with a fairly innocuous GIF of daffy duck.

“One of the biggest and the scariest things about this vulnerability is that it can be spread automatically, similar to a worm virus,” the researchers said in a blog post.

“Eventually, the attacker could access all the data from your organization’s Teams accounts – gathering confidential information, meetings and calenders information, competitive data, secrets, passwords, private information, business plans, etc.”

The researchers said there is no evidence that hackers successfully exploited the flaw and thanked Microsoft for taking quick action to rectify the misconfigured subdomains.

Written by Mon 27 Apr 2020


cyberark Microsoft teams
Send us a correction Send us a news tip