Researchers at Cyberark have discovered a vulnerability in Microsoft Teams’ image handling that allows an attacker to steal authentication cookies and take over user accounts. To exploit the vulnerability, an attacker needs to be in a Teams meeting with the targeted user and send a gif hosted on an attacker-controlled server in the meeting chat. The recipient does not have to take any action—simply viewing the image in the chat window is enough to steal the authentication token and take over the account. Due to the way Microsoft handles images hosted on the domain teams.microsoft.com or any subdomain under teams.microsoft.com, hackers could perform a subdomain takeover for either of two mis-configured subdomains and begin receiving Skype and Teams authentication tokens when Teams sends them to the server to access the images.
The team at Cyberark found the following domains had been vulnerable to subdomain takeovers:
Businesses and individuals who use Microsoft Teams should upgrade client software to the latest version available from Microsoft and be cautious about joining Teams meetings with unknown or untrusted people. Before releasing this report, the team at Cyberark reported this vulnerability to Microsoft and Microsoft issued the following fixes:
• Corrected misconfigured DNS records
• Issued a patch
To read more details about this vulnerability, please see: https://www.cyberark.com/threat-research-blog/beware-of-the-gif-account-takeover-vulnerability-in-microsoft-teams/