Security News > 2020 > April > We could have pwned Microsoft Teams with a GIF, claims Israeli infosec outfit
A vulnerability existed in Microsoft's Slack for Suits tool, Teams, that could have let a remote attacker take over accounts by simply sending a malicious GIF, infosec researchers claim.
The rest of the Teams vuln was patched last Monday, 20 April.
"If an attacker can somehow force a user to visit the sub-domains that have been taken over, the victim's browser will send this cookie to the attacker's server, and the attacker can create a Skype token. After doing all of this, the attacker can steal the victim's Teams account data," said the research outfit.
From here it was straightforward to create a malicious GIF file that could be sent in a Teams message.
El Reg analysed Teams in detail earlier this month from a business usability perspective after new features were added.
News URL
https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/04/27/microsoft_teams_gif_pwn_patch/
Related news
- Week in review: Microsoft fixes two exploited zero-days, SOC teams are losing trust in security tools (source)
- Black Basta poses as IT support on Microsoft Teams to breach networks (source)
- Black Basta ransomware poses as IT support on Microsoft Teams to breach networks (source)
- Black Basta operators phish employees via Microsoft Teams (source)
- Week in review: Windows Themes spoofing bug “returns”, employees phished via Microsoft Teams (source)
- Microsoft Ignite 2024 Unveils Groundbreaking AI, Security, and Teams Innovations (source)