Cyber security company CyberArk has discovered a vulnerability in Microsoft Teams that causes the capture of user information through just one GIF. The vulnerability was closed by Microsoft last week.
Technology giants are in intense competition to offer good video conferencing practices to those working from home in the coronavirus outbreak. Zoom came to the fore with security and privacy issues, although it quickly came to the fore in competition. Finally, Microsoft’s video conferencing tool Teams also revealed a critical vulnerability.
Security researchers have suggested that during the three-week period from late February to mid-March, a malicious GIF may have stolen user data for companies’ Microsoft Teams accounts. It was also stated that the vulnerability was closed in an update released by Microsoft on April 20.
Microsoft Teams threatened a GIF
The vulnerability affected desktop and browser versions of Microsoft Teams through access tokens for the authentication system. You can think of these tokens as files that confirm that the user has accessed the Teams account. The tokens are processed by Microsoft on the server at teams.microsoft.com or any subdomain under that address.
CyberArk found that it is possible to capture two of these subdomains (aadsync-test.teams.microsoft.com and data-dev.teams.microsoft.com) as part of the attack. The researchers used a Donald Duck GIF, which captured user data by targeting the authentication token of the Teams account. The source of the GIF was changed to a compromised subdomain, and the credentials of those viewing the GIF could go directly to hackers.
Microsoft closed the vulnerability in Teams app
CyberArk says the attack may have affected a large number of users in a short time. In addition, every account affected by this vulnerability poses a threat to companies. It is stated that the attackers may have obtained company secrets, competition data, passwords, private information, business plans with the GIF attack.
Fortunately, there is no evidence that cyber hackers exploit the vulnerability. With the warning of CyberArk, Microsoft acted on March 23 to prevent the compromised subdomains from being compromised and closed the gap with the update it released on April 20.