A security issue in Microsoft Teams means that cyber attacks could be initiated via funny GIF images, the researchers revealed.
Like many chat apps, Teams allows colleagues to exchange extravagant animated GIF images.
But CyberArk researchers discovered a problem that meant viewing a Gif could allow hackers to compromise an account and steal data.
Microsoft has since corrected the security flaw, researchers said.
The flaw involved a compromised subdomain that served malicious images.
All a user had to do was view the Gif to allow an attacker to collect data from their account.
If left open, the flaw could have led to widespread data theft, ransomware attacks and corporate espionage, the team added.
Microsoft Teams, like many workplace collaboration tools, has experienced tremendous growth in the past month, due to the coronavirus blocking rules.
This attack involves using a compromised subdomain to steal security tokens when a user uploads an image, but the end user would simply see the Gif sent to them and nothing else.
“They will never know that he was attacked, making this vulnerability … very dangerous,” said the team.
CyberArk said it informed Microsoft of the vulnerability on March 23 – the day the blockade began in the UK – and a patch was released earlier this week. There is no evidence that it has ever been exploited by cybercriminals.
He also warned that a similar attack could be replicated on other platforms in the future.
Professor Alan Woodward, of the University of Surrey, said that this type of exploit had already been seen before, when applications did not perform the necessary checks while carrying content from servers, in this case “apparently harmless gifs”.
Although the attack pattern is not easy to set up, it is a viable attack and “could spread very quickly among all users,” he said.
“It would be a niche attack, probably reserved for high-value targets.
“It’s really a good demonstration of how data, however seemingly harmless, brought into a web-based app can be used to sneak code snippets on the machine and perform functions that you simply shouldn’t be allowed to perform,” added the prof. Woodward.
“It also demonstrates so-called zero-click attacks very well: my simple visualization of the gif in this attack could potentially work, no clicks in unsafe links or opening trapped documents.
But the prof. Woodward added that occasionally all software was subject to security flaws.
“It’s a healthy account of why you need to keep the software up to date,” he said