Published in News

Microsoft makes sure GIFs aren’t funny anymore

by on28 April 2020

Security update

Software King of the World, Microsoft has fixed a problem with its Teams software which enabled cyber-attacks could be initiated via funny GIFs.

Teams lets colleagues send each other animated GIF images, but insecurity experts at CyberArk discovered viewing a GIF could let hackers compromise an account and steal data.

The flaw involved a compromised subdomain, a liquid lunch and a box of condoms (we made the last two up) which served up a funny but dangerous GIF.

The subdomain nicked security tokens when a user loads the image - but the end user would just see the GIF sent to them, and nothing else.

All a user had to do was view the GIF to allow an attacker to scrape data from their account.

If left open, the flaw could have led to widespread data theft, ransomware attacks and corporate espionage, the team added.

"They will never know that he or she has been attacked - making this vulnerability... very dangerous", the team said.

CyberArk said it notified Microsoft of the vulnerability on 23 March - the day lockdown began in the UK - and a patch was released earlier this week. There is no evidence cyber-criminals ever exploited it.

Prof Alan Woodward, from the University of Surrey, said this type of exploit had been seen before, when applications fail to do the necessary checks while bringing in content from servers - in this case "apparently harmless GIFs".

While the attack pattern is not easy to set up, it is a workable attack and "could spread very rapidly between all the users", he said.


Last modified on 28 April 2020
Rate this item
(0 votes)

Read more about: