A serious vulnerability existed in Microsoft Teams that allowed account hijacking. Simply sending a malicious GIF to the victim could allow an adversary to take over the target account.
Researchers from CyberArk have discovered a serious account hijacking vulnerability in Microsoft Teams. Exploiting the bug allowed an attacker to stealthily takeover target accounts using a malicious GIF.
As stated in their blog post, the problem existed because of how Microsoft Teams generates access tokens. Briefly, Microsoft Teams client creates numerous access tokens for different purposes other than login. These include tokens for sharing images as well as one called ‘Skype Token’.
While user authentication for images may be a tedious process, Microsoft implements two cookies “authtoken” and “skypetoken_asm” for quick loading. The client stores the Skype Token to teams.microsoft.com and subdomains, including two vulnerable subdomains aadsync-test.teams.microsoft.com and data-dev.teams.microsoft.com.
If an adversary hijacks a vulnerable subdomain, They could then access the authtoken required to generate the skype token needed for authentication, simply by sending a malicious .GIF file. As stated by the researchers,
The attacker could scrape the victim’s data stealthily. Moreover, an attacker could also exploit this bug to target enterprise accounts due to the wormable nature of the exploit.