Microsoft Teams patched a flaw that could allow account takeover

The researchers who discovered the flaw have been working with Microsoft to patch it.

1 minute & 16 seconds read time

Microsoft has announced that it has issued a patch for a severe flaw in Microsoft Teams that could have allowed a user's account to be taken over simply by viewing a GIF. The security issue stemmed from the way that Teams handles images and could allow data theft and account hijacking. The security flaw was discovered by a security firm called CyberArk over a month ago.

Microsoft Teams patched a flaw that could allow account takeover 01

CyberArk worked with Microsoft Security Research Center using the Coordinated Vulnerability Disclosure to fix the flaw. Repairing such a sensitive flaw was a priority with the massively increased number of users who are utilizing Teams for education, work, and healthcare during the coronavirus pandemic. CyberArk was able to show Microsoft how it was possible to use a compromise subdomain to host images and steal security tokens by merely getting the user to view an image.

One of the most serious aspects of this particular attack was that it was invisible to the user. CyberArk said that it found that two Microsoft subdomains were vulnerable to takeover, including and

CyberArk said, "If an attacker can somehow force a user to visit the sub-domains that have been taken over, the victim's browser will send this cookie to the attacker's server, and the attacker (after receiving the authtoken) can create a skype token. After doing all of this, the attacker can steal the victim's Teams account data." The security firm said that the attacker would need to issue a certificate for the compromised sub-domains, but that was possible. The victim of this attack would never know they were compromised, making this attack particularly dangerous. Microsoft has seen a major increase in demand for Teams in recent months.

Buy at Amazon

Surface Pro (Surface Pro 6)

TodayYesterday7 days ago30 days ago
* Prices last scanned on 9/24/2023 at 12:29 am CDT - prices may not be accurate, click links above for the latest price. We may earn an affiliate commission.

Shane is a long time technology writer who has been writing full time for over a decade. Shane will cover all sorts of news for TweakTown including tech and other topics. When not writing about all things geeky, he can be found at the track teaching noobs how to race cars.

Newsletter Subscription

Related Tags