Is It Possible To Exploit User Data Via GIFs? That's What Happened To A Microsoft App

Together with many video conferencing apps, Microsoft Teams has witnessed phenomenal growth in popularity during the COVID-19 pandemic and resultant work-from-home policies. However, they have had to cope with new difficulties, especially privacy concerns, which could become a huge threat for corporates. 

Last month, security researchers at CyberArk discovered a flaw in both desktop and web browser versions of Microsoft Teams  Surprisingly, the affected account and its related computer’s data were nearly at risk because of a … GIF.

As it turned out, when the user saw a particular GIF that had been sent to them, the hacker behind the background could utilize a compromised subdomain to steal security tokens and exploit the database of that user. 

This vulnerability is undoubtedly severe because it can spread far and wide with no need for manual interference. According to CyberArk, in the end, the hacker could gain access to all of your private data through your Teams accounts, which include secret information, competitive data, passwords, business plans, and so on. 

Moreover, the situation may get worse if this security flaw was exploited to send false information to employees under the name of a company’s honorable leadership, causing the following damages such as financial crisis, confusion, data leakage, etc. 

It seems that those companies using their exclusive Teams account for internal communication might reduce the possibility of that security flaw; however, as explained by CyberArk, a simple invitation to a conference call with an outsider can put your account at a high level of risk. 

Fortunately, after the flaw had been reported to Microsoft on 23rd March, it was addressed and fixed in the latest update on 20th April. It was the result of a collaboration between CyberArk and Microsoft Security Research Center under Coordinated Vulnerability Disclosure, which received a lot of tremendous compliments. Until now, no account has been recorded to have been compromised by cybercriminals.