A security problem in Microsoft Teams meant cyber-attacks could be initiated via funny Gif images, researchers have revealed.
Like many chat apps, Teams lets colleagues send each other whimsical animated Gif images.
But CyberArk researchers discovered a problem that meant viewing a Gif could let hackers compromise an account and steal data.
Microsoft has since patched the security hole, researchers said.
The flaw involved a compromised subdomain serving up the malicious images.
All a user had to do was view the Gif to allow an attacker to scrape data from their account.
If left open, the flaw could have led to widespread data theft, ransomware attacks and corporate espionage, the team added.
Microsoft Teams, like many workplace collaboration tools, has seen huge growth in the past month, due to coronavirus lockdown rules.
This attack involves using a compromised subdomain to steal security tokens when a user loads an image – but the end user would just see the Gif sent to them, and nothing else.
“They will never know that he or she has been attacked – making this vulnerability… very dangerous,” the team said.
CyberArk said it notified Microsoft of the vulnerability on 23 March – the day lockdown began in the UK – and a patch was released earlier this week. There is no evidence it was ever exploited by cyber-criminals.
It also warned that a similar attack could be replicated in future on other platforms.
Prof Alan Woodward, from the University of Surrey, said this type of exploit had been seen before, when applications fail to do the necessary checks while bringing in content from servers – in this case “apparently harmless gifs”.
While the attack pattern is not easy to set up, it is a workable attack and “could spread very rapidly between all the users”, he said.
“It would be a very niche attack, probably reserved for high-value targets.
“It is a really good demonstration of how data, however apparently innocuous, brought into a web based app can be used to sneak snippets of code onto your machine and conduct functions you simply shouldn’t be authorised to do,” added Prof Woodward.
“It also demonstrates very nicely so-called zero-click attacks – my merely displaying the gif in this attack could potentially work, no clicking in dodgy links or opening booby-trapped documents.”
But Prof Woodward added that all software was bound to have security flaws occasionally.
“It’s a salutary tale of why you need to keep your software updated,” he said