A single malicious GIF delivered to a Microsoft Teams user could have been enough for the sender to take over multiple business accounts, according to a new report from security researchers at CyberArk.
Besides seizing control of accounts, the recently discovered vulnerability (which has now been patched) could also have allowed hackers to harvest valuable data.
“Even if an attacker doesn’t gather much information from a Teams account, they could use the account to traverse throughout an organisation (just like a worm),” wrote Omer Tsarfati, Cybersecurity Researcher at CyberArk.
“Eventually, the attacker could access all the data from your organisation Teams accounts – gathering confidential information, competitive data, secrets, passwords, private information, business plans, etc.”
The vulnerability revolves around the JSON Web Token (“authtoken”) and the “skype token”, which allow Teams users to share images between different Microsoft services, such as SharePoint or Outlook.
“If an attacker can somehow force a user to visit the sub-domains that have been taken over, the victim’s browser will send this cookie to the attacker’s server, and the attacker (after receiving the authtoken) can create a skype token. After doing all of this, the attacker can steal the victim’s Teams account data,” said the report.
The paper goes on to explain that, with both tokens in their possession, hackers could then make API calls and actions through Teams API interfaces, allowing them to send or read messages, create groups, manage group members and change group permissions.
The vulnerability, reported to Microsoft on March 23, appears not to have been exploited by cybercriminals.
“We addressed the issue discussed in this blog and worked with the researcher under Coordinated Vulnerability Disclosure. While we have not seen any use of this technique in the wild, we have taken steps to keep our customers safe," said Microsoft in a written statement.