We could have equipped Microsoft teams with a GIF, says Israeli InfoSec outfit

%1$s', sprintf( '', esc_url( get_author_posts_url( get_the_author_meta( 'ID' ) ) ), esc_attr( sprintf( __( 'View all posts by %s', 'generatepress' ), get_the_author() ) ), esc_html( get_the_author() ), get_avatar( get_the_author_meta( 'ID' ) ) ) ); $time_string = ''; if ( get_the_time( 'U' ) !== get_the_modified_time( 'U' ) ) { $time_string = $time_string . ''; } $time_string = sprintf( $time_string, esc_attr( get_the_date( 'c' ) ), esc_html( get_the_date() ), esc_attr( get_the_modified_date( 'c' ) ), esc_html( get_the_modified_date() ) ); printf( '%1$s', // WPCS: XSS ok, sanitization ok. sprintf( '%3$s', esc_url( get_permalink() ), esc_attr( get_the_time() ), $time_string ) ); if ( ! is_single() && ! post_password_required() && ( comments_open() || get_comments_number() ) ) { echo ''; comments_popup_link( __( 'Comments', 'generatepress' ), __( '1 Comment', 'generatepress' ), __( '% Comments', 'generatepress' ) ); echo ''; } ?>


A vulnerability existed in Microsoft's Slack for Suits tool, Teams, which could have let a remote attacker take control of accounts by simply sending a malicious GIF, say the Infosec researchers.

The pwn-with-GIF vuln was possible, says Cyberark, thanks to two compromised Microsoft subdomains with a carefully crafted animated image file.

Although he is a theoretical vulgar responsibly disclosed and has not been abused in the wild as far as is known, he illustrates that not all online collaboration platforms are as secure as you would expect.

“Even if an attacker does not collect a lot of information from a team account, he could use the account to browse an entire organization (like a worm),” thought Cyberark researcher Omer Tsarfati.

The Israeli group Infosec said it had alerted Redmond to the two subdomains, which had caused their DNS entries to change. The rest of the Vuln team was corrected on Monday April 20.

Cyberark said that Teams retrieves the content of images in messages in different ways. One of them, he said, involves the use of device browser resource loading, which he described as defining “an ‘src' attribute of a URI on an HTML tag. IMG “and the configuration of cookies.

After examining the network traffic of the teams, Cyberark said that its researchers had discovered that one of these cookies contained a unique key necessary to create an authentication token, which then allowed his team to access information ” valuable “, including the content of the messages.

“If an attacker can force a user to visit the subdomains that have been taken over, the victim's browser will send this cookie to the attacker's server and the attacker (after receiving the authtoken) can create a Skype token [a named token used to authenticate the user to Teams for loading images]. After doing all of this, the attacker can steal data from the victim's team account, “said the research group.

From there, it was simple to create a malicious GIF file that could be sent in a Teams message. “By sending an image to our victim with a ‘src' attribute set on the compromised subdomain via Teams chat,” said Cyberark, “the victim's browser will try to load the image and send the authtoken cookie to the compromised subdomain. ” field.”

With a copy of the cookie, the attacker can then extract images, files, etc. the user account of the target team.

Microsoft was invited to comment.

El Reg analyzed in detail the teams earlier this month from a business use perspective after adding new features. ®

Webcast: Build the Next Generation of Your Business in the Public Cloud


Notify of
Inline Feedbacks
View all comments