Microsoft Teams, all it takes is a GIF to lose your account

Some computer researchers have discovered a vulnerability in Microsoft Teams that allows hackers to steal users' accounts. How to defend yourself

The boom of smart working and video conferencing is bringing to the surface all the problems of the most popular platforms for remote work: it's not only Zoom to be easily attacked, even Microsoft Teams has serious security problems and our account can be hacked with a simple GIF image.

This was discovered by CyberArk researchers, according to whom with this widespread type of file it is possible to "steal user data and, ultimately, take possession of all the accounts of an entire organization". The serious security bug, according to CyberArk, is present both in the Teams desktop app and in its Web version, accessible via a browser. It is, therefore, a problem of the entire Microsoft platform because, in practice, the real risk is run during the access phase to Teams. And access is done via both app and browser. Fortunately, this type of attack is not very easy to pull off and Microsoft has already taken the first precautions.

Why Microsoft Teams is at risk from hackers

CyberArk discovered that every time Teams is opened, the client creates a new temporary access token, authenticated via the domain. Other tokens are also generated to access related services, such as SharePoint and Outlook. In theory, these tokens are used to protect the account being logged in, but they are the source of the problem: two cookies are used to restrict access permissions: "authtoken" and "skypetoken_asm".

The latter is sent to the domain and its subdomains, two of which have been found to be vulnerable. "If a malicious user can somehow force a user to visit the vulnerable subdomains," CyberArk explains, "the victim's browser will send this cookie to the attacker's server, and the malicious user (after receiving the authentication certificate) can create a Skype token. After doing all this, the attacker can steal the victim's Teams account data.

How the attack to steal Microsoft Teams account works

CyberArk points out that this type of attack has been tried many times and it always works, but it is not that easy to pull off. It's all about getting the user to switch from weak subdomains and, to do so, the attacker could send the victim a link (which would be suspicious) or a GIF image (which, on the contrary, is a type of file exchanged very frequently in chats). Microsoft was made aware of this vulnerability and stated that: "Although we have not detected any practical use of this technique, we have taken steps to protect our customers."