Security flaw in Microsoft Teams let hackers scrape user data using malicious GIFs

Security researchers at CyberArk recently discovered a security flaw in Microsoft Teams that could enable cyber criminals to scrape users' data or take over an organisation's entire roster of Teams accounts.

Microsoft Teams is a popular video conferencing software used by a large number of organisations to enable their remote workers to collaborate in projects and participate in team meetings. The main benefit of using Teams is that it provides first-party integration with a company’s Office 365 subscription and also features extensions that can integrate with non-Microsoft products.

Recently, security firm CyberArk discovered a subdomain takeover vulnerability in Microsoft Teams that allowed attackers to use a malicious GIF to scrape user’s data and ultimately take over an organization’s entire roster of Teams accounts.

“Since users wouldn’t have to share the GIF – just see it – to be impacted, vulnerabilities like this have the ability to spread automatically. This vulnerability would have affected every user who uses the Teams desktop or web browser version,” the firm said. The Microsoft Security Research Center promptly issued a fix for the vulnerability after the flaw was highlighted by CyberArk on 23rd March.

“One of the biggest and the scariest things about this vulnerability is that it can be spread automatically, similar to a worm virus. The fact that the victim only needs to see the crafted message to be impacted is a nightmare from a security perspective. Every account that could have been impacted by this vulnerability could also be a spreading point to all other company accounts. The GIF could also be sent to groups (a.k.a Teams), which makes it even easier for an attacker to get control over users faster and with fewer steps.

“Even if an attacker doesn’t gather much information from a Teams’ account, they could still use the account to traverse throughout an organization (just like a worm). Eventually, the attacker could access all the data from your organization’s Teams accounts – gathering confidential information, meetings and calenders information, competitive data, secrets, passwords, private information, business plans, etc,” CyberArk added.

API developers must think like attackers to create new models covering misuse of APIs

Commenting on the discovery of the critical flaw in Microsoft Teams, Tim Mackey, principal security strategist at the Synopsys CyRC said that this specific vulnerability has been mitigated by Microsoft, but the research shows just how careful we need to be when working with any content. In this case, had no patch been applied, simply viewing a malicious image would be the culprit. This then becomes another example where opening unexpected content could have serious repercussions and why in this time of remote work, everyone should review their IT security training.

He added that the vulnerability highlights the reality that there never is a single weakness behind any attack and that complex systems can provide opportunities for attack. In this case, a successful attack would’ve required impersonating a Microsoft Teams sub-domain using a technique known as a `subdomain takeover`.

"The next phase of the attack would be to exploit the behaviour of the Microsoft teams API authentication system, followed by hosting a specially crafted GIF image on the compromised sub-domain. Triggering the attack then requires the attacker to convince their victim to open Teams and view their specially crafted GIF at which point the attacker then has their victim’s access tokens and can impersonate them.

"This impersonation would include any access the victim would have, including reading past messages or harvesting other accounts by sending their malicious GIF to other users. Protecting against this type of attack requires API developers to think like attackers and ensure they fully understand the scope of any access their API tokens provide while also building a comprehensive treat model covering misuse of their APIs," he added.

MORE ABOUT: