Microsoft has announced that it has issued a patch for a severe flaw in Microsoft Teams that could have allowed a user's account to be taken over simply by viewing a GIF. The security issue stemmed from the way that Teams handles images and could allow data theft and account hijacking. The security flaw was discovered by a security firm called CyberArk over a month ago.
CyberArk worked with Microsoft Security Research Center using the Coordinated Vulnerability Disclosure to fix the flaw. Repairing such a sensitive flaw was a priority with the massively increased number of users who are utilizing Teams for education, work, and healthcare during the coronavirus pandemic. CyberArk was able to show Microsoft how it was possible to use a compromise subdomain to host images and steal security tokens by merely getting the user to view an image.
One of the most serious aspects of this particular attack was that it was invisible to the user. CyberArk said that it found that two Microsoft subdomains were vulnerable to takeover, including aadsync-test.teams.microsoft.com and data-dev.teams.microsoft.com.
CyberArk said, "If an attacker can somehow force a user to visit the sub-domains that have been taken over, the victim's browser will send this cookie to the attacker's server, and the attacker (after receiving the authtoken) can create a skype token. After doing all of this, the attacker can steal the victim's Teams account data." The security firm said that the attacker would need to issue a certificate for the compromised sub-domains, but that was possible. The victim of this attack would never know they were compromised, making this attack particularly dangerous. Microsoft has seen a major increase in demand for Teams in recent months.