What you need to know
- Microsoft fixed a vulnerability in Microsoft Teams that could have been used to access user data.
- The vulnerability could have been exploited with a malicious GIF or links.
- Microsoft worked with CyberArk to fix the issue.
A vulnerability in Microsoft Teams has been fixed, protecting people from malicious links and GIFS that could be used to access people's data (via Neowin). The vulnerability was discovered by CyberArk, which worked with Microsoft to fix the issue. The security flaw was present in both the desktop and web browser versions of Microsoft Teams.
Taking advantage of the vulnerability would require a sophisticated form of attack. To access someone's data, an attacker would have had to create and share a malicious link or GIF that someone opened within Microsoft Teams. Notably, a link would have had to be opened, whereas a GIF would just need to be viewed within the communication app. Opening the malicious content within Teams would then send an authentication token to a server controlled by the attacker. Using that data, an attacker could read people's messages, send messages pretending to be a person, create groups, and control the Teams account in several other ways.
An attacker could automate the process and send attacks that would work their way through an entire organization. Here is a portion of CyberArk's conclusions about the vulnerability:
A Microsoft spokesperson told SecurityWeek, "We addressed the issue discussed in this blog and worked with the researcher under Coordinated Vulnerability Disclosure. While we have not seen any use of this technique in the wild, we have taken steps to keep our customers safe."
The vulnerability relies on an attacker gaining access to subdomains that are open to attack. CyberArk found two subdomains that could be used in an attack, but Microsoft states that these subdomains cannot be exploited anymore.
CyberArk told SecurityWeek that it believes the same attack tactics could still work if someone found a subdomain that could be hijacked, though that's not an easy task, according to CyberArk.
Windows Central Newsletter
Get the best of Windows Central in in your inbox, every day!
Sean Endicott brings nearly a decade of experience covering Microsoft and Windows news to Windows Central. He joined our team in 2017 as an app reviewer and now heads up our day-to-day news coverage. If you have a news tip or an app to review, hit him up at firstname.lastname@example.org (opens in new tab).
What next I wonder? Security issues with Zoom? Nah...
WOW, 9 video feeds at the same time. Release date? :-) https://microsoftteams.uservoice.com/forums/555103-public/suggestions/17...
Facebook enters this race and can do 16 out of the gate? Zoom can do 7x7 or 49?? What's going on at MS?? Everyone asking "Why would anyone NEED that?" are probably also asking why anybody would need in their cars power windows, or a backup camera, or adaptive cruise control. Not everyone NEEDS those things, but ultimately these products are competing with one another, and to be missing features or seem behind the others is going to relegate your own as less useful.
Thank you for signing up to Windows Central. You will receive a verification email shortly.
There was a problem. Please refresh the page and try again.