from Hacker News

Beware of the GIF: Account Takeover Vulnerability in Microsoft Teams

by jrenshaw on 4/27/20, 12:29 PM with 67 comments

  • by godelmachine on 4/27/20, 4:22 PM

    Just today I was joking with my colleagues on Teams - "Who is the Product Manager of Teams, and why hasn't Mr. Gates fired him/ her yet!"

    At the peril of being downvoted, I am going to rant, but rant I shall.

    Last year they tried to move all Skype users to Teams, which failed miserably. Today, they have tried doing the same, but to my much chagrin, the issue from last year still persists. We are not able to share screen with Skype users. One user just got irritated and left.

    A few weeks ago they forgot to renew their SSL certificate, which is unacceptable for a corporation like Microsoft.

    And now this. It makes me loathe Teams even more.

  • by eugenekolo on 4/27/20, 2:18 PM

    Weird lead in about GIFs to simply saying they had a subdomain takeover.

  • by ThePowerOfFuet on 4/27/20, 2:05 PM

    Shame they totally skipped the whole sub domain takeover bit, which was required for the exploit to work.

  • by ChrisArchitect on 4/27/20, 4:59 PM

    please change the title of this to remove the 'beware the gif' part if it doesn't have anything to do with the vulnerability really

  • by nogabebop23 on 4/27/20, 8:02 PM

    Outside of my wheelhouse, but is the actual vulnerability here that legit domain has a legit subdomain CNAME record pointing at uncontrolled endpoint; $BAD_PERSON registers target domain and then tricks a user into hitting endpoint with credentials in cookies?

  • by abluecloud on 4/27/20, 1:52 PM

    I'm confused as to how they do the sub domain takeover.

  • by scottmcdot on 4/27/20, 8:41 PM

    Putting subdomain takeover aside, are the gifs that are available to use in the chat pane all screened by Microsoft and deemed SFW (safe for work)? I see some of them are watermarked with 'giphy'. Does that mean if it's available on giphy.com it's available to share on Teams?

  • by bawolff on 4/27/20, 4:19 PM

    Ugh, that was an annoying article. Clickbaity and burrying the lede which turned out to be very uninteresting

  • by egfx on 4/27/20, 3:41 PM

    Wasn’t WhatsApp also compromised via gif? Gif is a really remarkable format that seems so simple but it’s much more. It’s just a series of images with timings but then you realize that the first few bits of the gif can be written with arbitrary code.

    A somewhat deep dive into the format https://enthusiasms.org/post/16976438906

  • by A4ET8a8uTh0 on 4/27/20, 2:32 PM

    I was always confused by seeing those types of exploits. In my head, I could not see why would GIF cause anything other show up on screen. But then I remember I think of offline activity.

    All that said, and please excuse my ignorance here, but how common is it for subdomain not to be under the control of its owner?

  • by rmac on 4/27/20, 3:43 PM

    ... buried the lede

    it's subdomain takeover

  • by thyrsus on 4/27/20, 2:33 PM

    This is why one should not automatically load external content in e-mails. This Forbes article covers the same territory: https://www.forbes.com/sites/thomasbrewster/2020/04/27/your-...

    I have to say, these headlines immediately made me think of this long ago fixed bug: https://www.cvedetails.com/cve/CVE-2008-2160/