Microsoft Teams Vulnerability Could Have Let Attackers Compromise Accounts Using Links, GIFs

Microsoft Teams has become a popular and useful source for organisations working remotely — especially at the time of the ongoing coronavirus outbreak. It offers a list of features to convince professionals over alternatives such as Slack and Google Hangouts Meet. However, some security researchers have found a vulnerability within Microsoft Teams that could let attackers compromise professional accounts simply using specially crafted links or even some witty GIFs. The Redmond company has acknowledged the flaw and fixed its existence to avoid any widespread outrage.

The vulnerability existed within the system through which Microsoft Teams passes the authentication access token to image resources, as explained by the researchers at information security firm CyberArk. An attacker could have exploited that loophole to develop a link or GIF file that once processed by Microsoft Teams sends an authentication token to a third-party server.

The token gets delivered to the server, which is in control of the attacker, once a user clicks on the malicious link. However, in case of a GIF file, it can be sent from the Teams account just by viewing the specially crafted GIF image.

After receiving the authentication token, the researchers noted that the attacker could take advantage and ultimately acquire the victim's account using the Teams API interfaces. The flaw could also give access to let the attacker read the messages received by the affected user or even send messages from their side. Similarly, the researchers have said that the vulnerability could be spread automatically from one account to all the connected accounts of a company using Microsoft Teams.

“The GIF could also be sent to groups (aka Teams), which makes it even easier for an attacker to get control over users faster and with fewer steps,” the researchers wrote in a blog post.

A proof-of-concept (PoC) has also been developed by the researchers to show the scope of the flaw.

Having said that, the access token could only enable the attackers to acquire an account once it is sent to a particular subdomain of the teams.microsoft.com directory. This means the attacker needs to compromise the subdomain in order to gain backdoor access to the victim's account.

Microsoft addresses the flaw
At the time of their testing, the researchers at CyberArk were able to find only two subdomains that were allowing takeover using the access token. It is, however, unclear whether the flaw can be exploited using other subdomains. Nevertheless, cyber-security focussed site SecurityWeek reports that Microsoft has ensured that the subdomains identified by the researchers couldn't be used for exploitation. A statement has also been released by the company confirming the fix of the vulnerability.

“We addressed the issue discussed in this blog and worked with the researcher under Coordinated Vulnerability Disclosure. While we have not seen any use of this technique in the wild, we have taken steps to keep our customers safe,” a Microsoft spokesperson said as quoted by SecurityWeek.

Coronavirus spread helped Teams reach new users
Although Microsoft Teams was a strong competitor against professional communication platform Slack since its launch for Office 365 customers back in March 2017, it gained huge popularity during the coronavirus outbreak as a large number of people started working from home to limit the pandemic's spread. The app added over 1.2 crore daily users in one week last month — marking a 37.5 percent jump. It has over 4.4 crore users worldwide with more than 2.4 crore users added since November.

The outbreak hasn't just helped Microsoft Teams but also apps such as Zoom that weren't much popular among the public in the past.

How are we staying sane during this Coronavirus lockdown? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts or RSS, download the episode, or just hit the play button below.