CyberArk found a vulnerability in Microsoft Teams that let hackers steal account using a Gif. (Image: Pixabay/koehlertina1)
As more and more people are working remotely and staying connected via video conferencing solutions like Zoom and Microsoft Teams amid the COVID-19 lockdown, cybercriminals are also focusing their efforts on exploiting the vulnerabilities in these platforms. Recently, cybersecurity researchers found a problem in Microsoft Teams that it could have allowed hackers to attack users with the help of a funny GIF.
Like other chat platforms, Microsoft Teams also lets users send and receive animated GIFs. However, CyberArk researchers have discovered a problem. They said that viewing a GIF could let hackers compromise a Microsoft Teams account. As per the report, Microsoft has since then patched the security hole.
The security flaw in Microsoft Teams
CyberArk found that the attack involves using a compromised subdomain to steal security tokens when a user loads an image. In this case, the end-user only sees the GIF sent to them and nothing else.
The victim will never know that they’ve been attacked, making the exploitation of this vulnerability stealthy and dangerous. (Image: CyberArk)
“We found that by leveraging a subdomain takeover vulnerability in Microsoft Teams, attackers could have used a malicious GIF to scrape users’ data,” CyberArk said in a blog post.
As per the report, the hacker would have been able to ultimately take over the organisation’s entire roster of Teams account.
Also read | Jio, Facebook giving free 25GB daily data for 6-months? Beware, it’s a new COVID-19 scam
“Since users wouldn’t have to share the GIF – just see it – to be impacted, vulnerabilities like this have the ability to spread automatically,” CyberArk said.
It said that the vulnerability would have affected every user who uses Teams desktop or web browser version.
Express Tech is now on Telegram. Click here to join our channel (@expresstechnology) and stay updated with the latest tech news
Thankfully, the security flaw has now been fixed. The report mentioned that CyberArk notified Microsoft of the account takeover vulnerability on March 23. It has been since working with Microsoft Security Research Center under Coordinated Vulnerability Disclosure and a fix was released earlier this week.