Viewing a GIF in Microsoft Teams allows hackers to Takeover Accounts

The vulnerability, impacting both desktop and web versions allowed the attacker to access all the data- confidential information, business plans etc. from organization’s Teams accounts by sending a malicious link to an innocent-looking image. 

Omer Tsarfati from cyberArk’s said, “Even if an attacker doesn’t gather much information from a Team’s account, they could still use the account to traverse throughout an organisation (just like a worm)’. Eventually accessing all the data from organization’s Teams accounts.   

Researchers from CyberArk explain “Since users wouldn’t have to share the GIF – just see it – to be impacted, vulnerabilities like this have the ability to spread automatically.” 

Zoom, Microsoft Teams and GoToMeeting are seeing huge demand, keeping businesses, educational institutions etc operational while working from home. Since networks at home may not be as secure, it gives hackers the opportunity to attack and steal credentials and distribute malware. 

Takeover Vulnerability lies in the way Microsoft Teams handles authentication to image resources. Every time the app is opened, an access token, a JSON Web Token (JWT) is created during the process. To allow a user to view images the app uses two authentication tokens: authtoken and skypetoken. An attacker with both tokens can make calls through the Teams API‌s, take over an account, read/send messages, add or remove users, change permissions, and create groups. 

The Teams client creates a new temporary access token, authenticated via Other tokens are also generated to access supported services such as SharePoint and Outlook. 

After the findings were responsibly disclosed on March 23, Microsoft patched the vulnerability in an update released on April 20.