Security News > 2020 > April > We could have pwned Microsoft Teams with a GIF, claims Israeli infosec outfit

We could have pwned Microsoft Teams with a GIF, claims Israeli infosec outfit
2020-04-27 08:20

A vulnerability existed in Microsoft's Slack for Suits tool, Teams, that could have let a remote attacker take over accounts by simply sending a malicious GIF, infosec researchers claim.

The rest of the Teams vuln was patched last Monday, 20 April.

"If an attacker can somehow force a user to visit the sub-domains that have been taken over, the victim's browser will send this cookie to the attacker's server, and the attacker can create a Skype token. After doing all of this, the attacker can steal the victim's Teams account data," said the research outfit.

From here it was straightforward to create a malicious GIF file that could be sent in a Teams message.

El Reg analysed Teams in detail earlier this month from a business usability perspective after new features were added.


News URL

https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/04/27/microsoft_teams_gif_pwn_patch/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Microsoft 365 50 1369 2819 161 4399