A vulnerability existed in Microsoft's Slack for Suits tool, Teams, that could have let a remote attacker take over accounts by simply sending a malicious GIF, infosec researchers claim.
The pwn-with-GIF vuln was possible, said Cyberark, thanks to two compromisable Microsoft subdomains along with a carefully crafted animated image file.
Although it was a responsibly disclosed theoretical vuln, and was not abused in the wild as far as is known, it illustrates that not all online collaboration platforms are as secure as one might hope.
"Even if an attacker doesn't gather much information from a Teams' account, they could use the account to traverse throughout an organization (just like a worm)," mused Cyberark researcher Omer Tsarfati.
The Israeli infosec outfit said it had alerted Redmond to the two subdomains, resulting in their DNS entries being tweaked. The rest of the Teams vuln was patched last Monday, 20 April.
Cyberark said that Teams fetches image content in messages in different ways. One of those, it said, involves using the device browser's resource loading, which it described as setting "an 'src' attribute of a URI to an HTML IMG tag" along with setting cookies.
After examining Teams' network traffic, Cyberark said its researchers discovered that one of those cookies contained a unique key needed to create an authentication token, which then allowed its crew access to "valuable" information, including the content of messages.
"If an attacker can somehow force a user to visit the sub-domains that have been taken over, the victim's browser will send this cookie to the attacker's server, and the attacker (after receiving the authtoken) can create a Skype token [a named token used to authenticate the user to Teams for loading images]. After doing all of this, the attacker can steal the victim's Teams account data," said the research outfit.
From here it was straightforward to create a malicious GIF file that could be sent in a Teams message. By "sending an image to our victim with an 'src' attribute set to the compromised sub-domain via Teams chat," said Cyberark, "the victim's browser will try to load the image and will send the authtoken cookie to the compromised sub-domain."
With a copy of the cookie, the attacker can then extract images, files and so on from the targeted Team user's account.
Microsoft has been asked for comment.
El Reg analysed Teams in detail earlier this month from a business usability perspective after new features were added. ®
- Internet Explorer
- Microsoft Build
- Microsoft Edge
- Microsoft Office
- Microsoft Surface
- Office 365
- Patch Tuesday
- SQL Server
- Visual Studio
- Visual Studio Code
- Windows 10
- Windows 11
- Windows 7
- Windows 8
- Windows Server
- Windows Server 2003
- Windows Server 2008
- Windows Server 2012
- Windows Server 2013
- Windows Server 2016
- Windows XP
- Xbox 360