Microsoft Teams fixes a security vulnerability that exploited GIFs to access a user’s data

Apps like Microsoft Teams have seen a steady rise in popularity courtesy of the COVID-19 pandemic and the resultant social distancing. But they’ve had their fair share of privacy concerns too. Last month, security researchers at CyberArk uncovered a flaw in Microsoft Teams (desktop and web browser version both) that put an account and the associated computer’s data at risk with the help of a GIF.

Succinctly, all the user had to do was view a specific GIF that they had received. Once this was done, in the background, a hacker could use a compromised subdomain to steal security tokens and mine the victim’s data.

Concretely, the malicious GIF enclosed an ‘src’ attribute. When it was opened, the target browser would try to load the GIF and this would send the ‘authtoken’ cookie, which is used to authenticate the loading of images in domains across Skype and Teams, to the compromised sub-domain. This meant that the attacker would get their hands on the victim’s authtoken, allowing them to carve a pathway to scrape the victim’s data.

The bug was reported to Microsoft on March 23, but the issue has now been fixed in a recent update. CyberArk stated that it worked on the vulnerability with Microsoft Security Research Center under Coordinated Vulnerability Disclosure. So far, there is no evidence that suggests that the bug was exploited by cybercriminals.