Microsoft has fixed a vulnerability in its Teams app that left users at risk of having their accounts taken over.
The weakness, which involved exploiting some seemingly innocuous and entertaining GIFs, was discovered by researchers at CyberArk.
"We found that by leveraging a subdomain takeover vulnerability in Microsoft Teams, attackers could have used a malicious GIF to scrape users' data and ultimately take over an organization’s entire roster of Teams accounts," said CyberArk's researchers.
Alarmingly, the vulnerability was found to be capable of spreading automatically "similar to a worm virus" and had the potential to affect every user of the desktop or web browser version of the Teams app.
"Since users wouldn’t have to share the GIF—just see it—to be impacted, vulnerabilities like this have the ability to spread automatically," noted researchers.
"Imagine the following scenario. An attacker sends a GIF or an image to a victim and gets control over their account. This vulnerability worked just that way and had the potential to take over an organization’s entire roster of Microsoft Teams accounts."
Among the malicious GIFs identified by researchers was one in which a human-sized Donald Duck sweeps a row of cuddly Mickey Mouse toys from a shop display onto the floor, replacing them with toys in his own image.
When the user views the malicious GIF, the cyber-attacker could use a compromised subdomain to steal security tokens. Users receiving this malicious GIF would have no clue that they were under cyber-attack.
"The victim sees a regular GIF sent to them—that’s it!" noted researchers. "The victim will never know that they’ve been attacked, making the exploitation of this vulnerability stealthy and dangerous."
Threats that operate in this way pose a huge challenge for businesses, organizations, and individuals relying on communication platforms like Teams to keep in touch with family, friends, and colleagues during the current widespread COVID-inspired lockdowns. Researchers described this particular danger as "a nightmare from a security perspective."
CyberArk said it notified Microsoft of the vulnerability on March 23, and a patch was released earlier this week. There is no evidence it was ever exploited by cyber-criminals.