back to article We could have pwned Microsoft Teams with a GIF, claims Israeli infosec outfit

A vulnerability existed in Microsoft's Slack for Suits tool, Teams, that could have let a remote attacker take over accounts by simply sending a malicious GIF, infosec researchers claim. The pwn-with-GIF vuln was possible, said Cyberark, thanks to two compromisable Microsoft subdomains along with a carefully crafted animated …

  1. Pascal Monett Silver badge

    Seems like a lot of hoops

    The whole process sounds rather simple to set up, but it's not exactly simple to execute - unless Teams automatically loads an image when sent a link.

    Given that this is Microsoft we're talking about, that seems more than likely. Still, you have to be able to send the person a link. That means that you have to have the Teams user name or something like that. How easy is that to get if you're not in the company Teams list ?

    Full disclosure : I don't use Teams, as you might have guessed.

    1. Captain Scarlet Silver badge

      Re: Seems like a lot of hoops

      If you copy and paste an image yes it opens a preview in the chat window.

      Other than that the typical Teams chat is spammed Gifs of Scooby Doo and Garfield memes.

      1. GruntyMcPugh Silver badge

        Re: Seems like a lot of hoops

        @Captain Scarlet : "Scooby Doo and Garfield"

        When I used to use an instant messenger service to communicate with a colleague, our two favourite animated .gifs were tumbleweed and a bunny banging it's head against a wall. I don't think I need to explain either : -)

        1. Captain Scarlet Silver badge
          Happy

          Re: Seems like a lot of hoops

          Yeah just a shame most won't search for keywords like RTFM

    2. gerdesj Silver badge
      Childcatcher

      Re: Seems like a lot of hoops

      "After doing all of this, the attacker can steal the victim's Teams account data"

      Quite often that is their AD user account and password thanks to the convenient hookup between AD and Azure. There are rather a lot of hastily cobbled together remote desktops and so on around the world right now.

    3. HarrisMirza

      Re: Seems like a lot of hoops

      AFAIK, you need to be a member of the same organisation or be on a call with the victim to be able to send them a message so that limits the usefulness of this.

      1. Yet Another Anonymous coward Silver badge

        Re: Seems like a lot of hoops

        Or one machine in an organsiation needs to have already been compromised before the weekly all-hands bullshit meeting

        1. Woodnag

          BS?

          Do you mean the weekly all-hands bullshit meeting that pretends to be an "Is everyone well and happy?" check, but is really an "Is everyone working hard and getting stuff done?" sniff test.

      2. Esteeb

        Re: Seems like a lot of hoops

        Your point is well taken about the limitations on sending random messages; that said, there does appear to be a way to grant guest access to Microsoft Teams to folks using their email addresses:

        https://docs.microsoft.com/en-us/microsoftteams/communicate-with-users-from-other-organizations

        So, theoretically, imagine if someone were able to add themselves to Teams using an external address without admin intervention or approval. Again, possibly limited usefulness in and of itself. Cobbled together, however, might open the door for exactly this type of malicious message vulnerability.

  2. HildyJ Silver badge
    Alert

    Not "not all"

    "not all online collaboration platforms are as secure as one might hope"

    This is overly generous. It should read "no online collaboration platforms are as secure as one might hope."

    1. Anonymous Coward
      Anonymous Coward

      Re: Not "not all"

      It should really read "no online collaboration platforms are even near secure"

      Zoom routes everything via China, how convinient. "crypted" but not really.

      Teams routes everything, including private messages, via Redmont. Unencrypted of course.

      Pieces of BS spyware. Or 'collaboration'with US and Chinese authorities, spiced with Microsoft.

      1. Anonymous Coward
        Anonymous Coward

        Re: Not "not all"

        What does Whatsapp do wrong that you don't like?

        Or Signal?

  3. mikus

    Reminds me of the 90's and days of aol when you could crash someone's computer remotely just by sending malformed html, otherwise known as punting. That was fun for years and never got old. Now I can crash a coworkers! Or pwn them, hmm...

  4. Anonymous Coward
    Anonymous Coward

    So ..

    .. it's 2020 and Windows can STILL be breached with a GIF.

    WTF?

    1. Version 1.0 Silver badge
      Unhappy

      Re: So ..

      So who's actually surprised? It's just Windows after all, we know that security has never been an issue for Microsoft, they are too busy adding new features and collecting data to worry about security.

      Downvote this post if you believe that Microsoft cares more about security than collecting your data.

    2. Anonymous Coward
      Anonymous Coward

      Re: So ..

      "I would like to shake the hand of the man who first decided that e-mail clients should slice, dice and run arbitrary programs. Then I'd like to stir, blend and puree his hand."

      -- J. D. Baldwin in the Monastery

      1. Claptrap314 Silver badge

        Re: So ..

        Remember when we used to tell everyone that you could not get a virus from email?

        As in--it was not physically possible.

        I miss that.

    3. Anonymous Coward
      Anonymous Coward

      Re: So ..

      Or a font...

  5. Lotaresco Silver badge
    Joke

    Don't worry

    Microsoft managed to patch the vulnerability in a GIF.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020