Medusa-like GIFs only had to be seen to wreak havoc

Microsoft Teams GIF

UPDATED An organization’s Microsoft Teams accounts could be hijacked en masse through the exploitation of a security flaw via malicious GIFs, security researchers have revealed.

These information-stealing GIFs could propagate automatically across an enterprise’s Teams accounts without victims even sharing the file. A user only had to open the message to be impacted.

This made the now-patched subdomain takeover vulnerability “a nightmare from a security perspective”, said CyberArk security researcher Omer Tsarfati in a post published today (April 27).

Researchers from the Israeli security firm found that attackers could readily pilfer data such as usernames and passwords, meetings and calendar information, and sensitive commercial information.

“Maybe even more disturbing”, said Tsarfati, was that attackers could also “send false information to employees – impersonating a company’s most trusted leadership – leading to financial damage, confusion, direct data leakage, and more.”

Attacks could be executed without the victim’s knowledge via an ostensibly benign external communication like a job interview, suggested the researcher.

However, Microsoft told The Daily Swig that “the post appears to overstate severity, as the non-trivial technique would have required multiple steps by an attacker to impersonate a Teams user.”

Vulnerable subdomains

Two subdomains were vulnerable to takeover when receiving a cookie – skypetoken_asm – that permits or denies access to images and other content.

Successful exploitation hinged on duping certificate issuers into issuing a certificate for the compromised subdomains, since another cookie – authtoken – is flagged as secure.

Attackers could hurdle this obstacle easily by uploading a file to a specific path because the compromised subdomain pointed to the attacker’s server, said Tsarfati.

With businesses having wised up to the threat posed by suspicious links, the researchers deployed a GIF armed with an src attribute set to the compromised subdomain via Teams chat.

“When the victim opens this message, the victim’s browser will try to load the image and this will send the authtoken cookie to the compromised sub-domain,” said Tsarfati.

“This means the attacker will get their hands on the victim’s authtoken, allowing the attacker to create a skype token and ultimately providing the attacker a pathway to scrape all the victim’s data.”

Disclosure timeline

The number of customers using Microsoft Teams, which provides instant messaging, video meetings, and shared file storage for dispersed workforces, had surged to 44 million daily by March 28, with Italy – then the global coronavirus epicenter – seeing a 775% month-on-month increase.

CyberArk disclosed the vulnerability, which affected both desktop and web browser versions of Teams, to the Microsoft Security Research Center (MSRC) on March 23.

MSRC deleted the affected subdomains’ misconfigured DNS records later that day and issued a patch on April 20.

Omer Tsarfati told The Daily Swig that Microsoft mitigated the flaw swiftly upon being notified. 

“By removing the CNAM DNS records,” the tech giant quickly fixed the “critical” subdomain issue, then remedied “the GIF vulnerability so that the attack as we showed could not be replicated.”

A Microsoft spokesperson said the company had “worked with the researcher under Coordinated Vulnerability Disclosure”, and “while we have not seen any use of this technique in the wild, we have taken steps to keep our customers safe.”

With so many organizations “relying on communication and collaboration technologies to stay connected to one another,” Tsarfati said “employees should be suspicious of any irregular messages and GIFs they get from users – especially if they don’t recognize or don’t regularly speak to that person – and specifically be aware of such messages from external parties.”

He also urged users to resist “sharing sensitive information – like passwords – on Teams or any collaboration tool for that matter. You never know who may be listening.”

GIF-related vulnerabilities have previously netted one security researcher a $10,000 bounty in March 2019 in relation to Facebook Messenger and prompted WhatsApp to issue a security patch in October 2019.

Zoom, another instant messaging and video conferencing platform to benefit from the remote working boom, has also come under scrutiny for its security and privacy shortcomings.

This article was updated on 27 April with comments added from Microsoft and CyberArk.

RELATED Cloud security: Microsoft launches ATT&CK-inspired matrix for Kubernetes