Among my daily Google Alerts subscriptions is one which keys on any news articles about Microsoft Teams. In today’s list, the first article listed was titled “Your Whole Company’s Microsoft Teams Data Could’ve Been Stolen With An ‘Evil GIF’”.
My first reaction to the headline was HOLY COW!!! Is there a vulnerability which we, and all our clients, should be aware?!? Then I read the article… if you’d like to do the same, you can find it here. If you want me to save you the time, the “Too Long; Didn’t Read” (TL;DR) summary breaks down to this:
A group called CyberArk found a vulnerability; they reported it to Microsoft; Microsoft fixed it the same day; Nothing happened.
It was a non-event. My opinion is that a better headline would have been “Microsoft acts fast to fix security vulnerability – no clients impacted”, but that headline wouldn’t have been so click-worthy. However, the real meat to this story is who CyberArk, and how did they report a vulnerability to Microsoft?
CyberArk is in the IT space and specializes in privileged access management, a critical layer of IT security to protect data. Likely in their normal course of business, they found the issue highlighted in the article with the way Teams was handling authentication tokens for viewing images. As a result, they submitted the find to Microsoft via the Microsoft Bug Bounty Program.
Bug Bounty Programs allow for white-hat hackers to find potential vulnerabilities and report them back to the developers who can create a patch or fix to resolve the issue before a malicious hacker can leverage the vulnerability into an exploit, either to wreak havoc or for personal gain. They require the participating developers to acknowledge that all products will occasionally have vulnerabilities which have the potential to be exploited, but through these Bug Bounty programs, they can identify and remediate these vulnerabilities through their patch management process, in many cases before any exploits can occur.
However, these sorts of bounties communicate to the world that these vulnerabilities exist, including to those hackers with malicious intent. As a result, running regular, managed security updates is one of the most critical security steps one can take.