Microsoft has patched a worm-like vulnerability in its Teams workplace video chat and collaboration platform that could have allowed attackers to take over an organisation’s entire roster of Teams accounts just by sending participants a malicious link to an innocent-looking image.
The flaw, impacting both desktop and web versions of the app, was discovered by cybersecurity researchers at CyberArk. After the findings were responsibly disclosed on March 23, Microsoft patched the vulnerability in an update released on April 20.
“Even if an attacker doesn’t gather much information from a Teams’ account, they could still use the account to traverse throughout an organisation (just like a worm),” CyberArk’s Omer Tsarfati said.
“Eventually, the attacker could access all the data from your organisation’s Teams accounts — gathering confidential information, meetings and calendar information, competitive data, secrets, passwords, private information, business plans, etc.”
The development comes as video conferencing software such as Zoom and Microsoft Teams are witnessing an unprecedented surge in demand as businesses, students, and even government employees across the world are forced to work and socialise from home during the coronavirus pandemic.
images from Hacker News