Microsoft Fixes Vulnerability in Teams (a Zoom competitor)
Microsoft has fixed a subdomain takeover flaw in its Teams communication and collaboration platform that could have been exploited to take control of vulnerable accounts. A proof-of-concept exploit demonstrated that would-be attackers could take over accounts by tricking users into viewing a maliciously-crafted GIF.
Teams is positioned to subsume Skype for Business as well as provide collaboration services. While collaboration is restricted to your Microsoft 365 tenant, meetings can include external, guest, participants which necessitated providing support for sharing images in the chat channel. The token needed for the attack to work is good for only an hour, but is renewed each time the GIF is viewed. Exploiting this weakness is difficult, due to the requirement for identifying a vulnerable Microsoft Teams subdomain. Microsoft claims to have secured those domains and added anti-exploitation measures.
Read more in
Infosecurity Magazine: Microsoft Teams Funny GIFs Vulnerability Mended
Silicon Angle: Microsoft fixes wormlike account hijacking exploit in Teams
Bleeping Computer: Microsoft Teams patched against image-based account takeover