Security researchers have uncovered a flaw in Microsoft Teams that enabled them to steal messages from user accounts by sending a malicious GIF image.
Security firm CyberArk demonstrated the attack in a video released Monday. Its researchers used the internet meme “Whale Hello There” to trigger the vulnerability in a chat session with a target user. The attack then secretly looted every Microsoft Teams message written by the victim.
“Eventually, the attacker could access all the data from your organization’s Teams accounts — gathering confidential information, meetings and calendar information, competitive data, secrets, passwords, private information, business plans, etc,” CyberArk said in its report.
Researchers uncovered the flaw while examining how Microsoft Teams receives and sends images files over the workplace messaging platform. As image files get shared and stored, the software will generate a digital authentication token to determine which users can see the images and which ones cannot.
The same access tokens are stored in your computer’s browser as an internet cookie. Only servers on the teams.microsoft.com domain should be able to retrieve the cookie, given that the authentication tokens are vital to account security. However, CyberArk discovered that two subdomains at “aadsync-test.teams.microsoft.com” and “data-dev.teams.microsoft.com” were vulnerable for takeover, opening the door for a hacker-controlled server to stage the attack.
“If an attacker can somehow force a user to visit the subdomains that have been taken over, the victim’s browser will send this cookie to the attacker’s server,” CyberArk said. “After doing all of this, the attacker can steal the victim’s Teams account data.”
Getting a user to visit the subdomain could be accomplished by tricking the victim using a phishing message. However, CyberArk realized you could also repackage the attack by using a GIF, which will automatically contact the subdomain in order to load up the image.
“When the victim opens this message, the victim’s browser will try to load the image and this will send the authtoken cookie to the compromised subdomain,” the company said. “The victim will never know that they’ve been attacked, making the exploitation of this vulnerability stealthy and dangerous.”
The good news is that Microsoft patched the problem on April 20, a month after CyberArk reported the flaw to the company. “While we have not seen any use of this technique in the wild, we have taken steps to keep our customers safe,” Microsoft told PCMag. The company also points out the attack requires multiple steps, making it difficult to pull off.