Hackers can hijack your Microsoft Teams account via GIFs
In a major shocker, researchers at CyberArk, a US-based cybersecurity firm, have flagged a critical vulnerability in Microsoft Teams, the work communication service that goes against Slack. The issue is reportedly capable of compromising an organization's entire roster of accounts and business communication - and can be exploited by sending a simple GIF. Here's all you need to know about it.
How does it unfold
According to CyberArk, hackers could use a compromised subdomain to serve GIFs rigged to steal security tokens. Once a user of Teams receives the malicious GIF, the image steals their login credentials in the background, allowing the attacker to take over their account. From there, they could send more malicious GIFs to other users active on the company's Teams account, compromising all of them.
End user only sees the GIF
What makes this attack more dangerous than all other hijacks seen in the past is its covert nature. Basically, even if you receive the malicious GIF, you will not be able to make out that you have been targeted because the image would look just like any other GIF that people send all the time on modern chat apps.
However, Microsoft has issued a fix now
CyberArk's team informed Microsoft about the flaw on March 23, following which the company investigated the matter and issued a fix. "We addressed the issue and worked with the researcher under Coordinated Vulnerability Disclosure," the Redmond giant said, adding that it has "not seen any use of this technique in the wild" and has "taken steps to keep our customers safe."
Similar attack could be used against other platforms
CyberArk's team warned that the attack method used here could also be deployed to target other platforms as well. This could easily lead to cases of data theft, ransomware attack, or corporate espionage for big organizations and their employees, who are currently trying to adjust to the new routine of working remotely.
Attack shows how data could compromise web-based apps
Professor Alan Woodward from the University of Surrey told BBC, "It's a really good demonstration of how data, however apparently innocuous, brought into a web-based app can be used to sneak snippets of code onto your machine" and conduct unauthorized functions.