Cyber researchers have unearthed a flaw in Microsoft Teams that would have allowed attackers to take over users’ accounts via a malicious GIF file.
A team from security vendor CyberArk found a subdomain takeover vulnerability in the collaboration tool, which now has more than 44 million daily active users.
The flaw, which has been patched by Microsoft, would have allowed attackers to scrape users' data and take over an organisation’s Teams accounts using a GIF.
According to CyberArk, since users wouldn’t have to share the GIF – just see it – to be impacted, vulnerabilities like this have the ability to spread automatically.
“The fact that the victim only needs to see the crafted message to be impacted is a nightmare from a security perspective,” CyberArk wrote in a blog post.
“Every account that could have been impacted by this vulnerability could also be a spreading point to all other company accounts. The GIF could also be sent to groups (a.k.a Teams), which makes it even easier for an attacker to get control over users faster and with fewer steps.”
The vulnerability would have affected both Teams desktops or web browser versions if compromised. The flaw’s discovery comes during a major surge in demand for collaboration tools such as Teams, Zoom, Slack and Skype for Business driven by the spread of COVID-19 and the need for staff to work from home.
Rival Zoom has also struggled to fend of security concerns about its software, leading it to hire former Facebook security chief Alex Stamos as an adviser.