Security News > 2020 > April > We could have pwned Microsoft Teams with a GIF, claims Israeli infosec outfit
A vulnerability existed in Microsoft's Slack for Suits tool, Teams, that could have let a remote attacker take over accounts by simply sending a malicious GIF, infosec researchers claim.
The rest of the Teams vuln was patched last Monday, 20 April.
"If an attacker can somehow force a user to visit the sub-domains that have been taken over, the victim's browser will send this cookie to the attacker's server, and the attacker can create a Skype token. After doing all of this, the attacker can steal the victim's Teams account data," said the research outfit.
From here it was straightforward to create a malicious GIF file that could be sent in a Teams message.
El Reg analysed Teams in detail earlier this month from a business usability perspective after new features were added.
News URL
https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/04/27/microsoft_teams_gif_pwn_patch/
Related news
- Google's got a hot cloud infosec startup, a new unified platform — and its eye on Microsoft's $20B+ security biz (source)
- Microsoft is killing Skype today, pushes users to Teams (source)
- New Microsoft 365 outage impacts Teams and other services (source)
- Microsoft Teams will soon block screen capture during meetings (source)