We were just talking about Teams the other day, reporting on how you might not be able to create new free organization accounts, and Microsoft’s top conferencing app is already back in the spotlight.
And although we feel better when we have to report fixes and improvements, or new features coming to Teams, we have to also let you know about this security risk.
Apparently, security researchers have discovered four separate vulnerabilities within Teams, that could be exploited in order to spoof link previews, leak IP addresses, and even access Microsoft’s internal services.
Four major vulnerabilities are still being exploited in the wild
Experts from Positive Security stumbled upon these vulnerabilities while looking for a way to bypass the Same-Origin Policy (SOP) in Teams and Electron, according to a blog post.
Just in case you aren’t familiar with the term, SOP is a security mechanism found in browsers that helps stop websites from attacking one another.
While investigating this sensitive matter, the researchers found that they could bypass the SOP in Teams by abusing the app’s link preview feature.
This was actually achieved by allowing the client to generate a link preview for the target page and then using either summary text or optical character recognition (OCR) on the preview image to extract information.
Also, while doing this, Positive Security co-founder Fabian Bräunlein discovered other unrelated vulnerabilities in the feature’s implementation as well.
Two of the four nasty bugs found in Microsoft Teams can be used on any device and allow for server-side request forgery (SSRF) and spoofing.
The other two only affect Android smartphones and can be exploited to leak IP addresses and achieve Denial of Service (DOS).
It goes without saying that, by exploiting the SSRF vulnerability, researchers were able to leak information from Microsoft’s local network.
At the same time, the spoofing bug can be used to improve the effectiveness of phishing attacks or to hide malicious links.
The most worrying of them all should definitely be the DOS bug, as an attacker can send a user a message that includes a link preview with an invalid preview link target to crash the Teams app for Android.
Unfortunately, the app will continue to crash when trying to open the chat or channel with the malicious message.
Positive Security did in fact inform Microsoft of its findings on March 10 through its bug bounty program. Since then, the tech giant has only patched the IP address leak vulnerability in Teams for Android.
But now that this disconcerting information is public and the consequences of these vulnerabilities pretty clear, Microsoft will have to step its game up and come up with some quick, effective fixes.
Have you experienced any security issues while using Teams? Share your experience with us in the comments section below.
Start a conversation
