Microsoft Teams might have a few serious security issues

Tajammul Pangarkar
Tajammul Pangarkar

Updated · Dec 23, 2021

SHARE:

Scoop.market.us is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more.
close
Advertiser Disclosure

At Market.us Scoop, we strive to bring you the most accurate and up-to-date information by utilizing a variety of resources, including paid and free sources, primary research, and phone interviews. Our data is available to the public free of charge, and we encourage you to use it to inform your personal or business decisions. If you choose to republish our data on your own website, we simply ask that you provide a proper citation or link back to the respective page on Market.us Scoop. We appreciate your support and look forward to continuing to provide valuable insights for our audience.

Security researchers have discovered four separate vulnerabilities in Microsoft Teams that could be exploited by an attacker to spoof link previews, leak IP addresses and even access the software giant's internal services.

These discoveries were made by researchers at Positive Security who “stumbled upon” them while looking for a way to bypass the the Same-Origin Policy (SOP) in Teams and Electron according to a new blog post. For those unfamiliar, SOP is a security mechanism found in browsers that helps stop websites from attacking one another.

During their investigation into the matter, the researchers found that they could bypass the SOP in Teams by abusing the link preview feature in Microsoft's video conferencing software by allowing the client to generate a link preview for the target page and then using either summary text or optical character recognition (OCR) on the preview image to extract information. 

However, while doing this, Positive Security co-founder Fabian Bräunlein found other unrelated vulnerabilities in the feature's implementation.

Microsoft Teams vulnerabilities

Of the four bugs Bräunlein found in Teams, two can be used on any device and allow for server-side request forgery (SSRF) and spoofing while the other two only affect Android smartphones and can be exploited to leak IP addresses and achieve Denial of Service (DOS).

By exploiting the SSRF vulnerability, the researchers were able to leak information from Microsoft's local network. Meanwhile the spoofing bug can be used to improve the effectiveness of phishing attacks or to hide malicious links.

The DOS bug is particularly worrying as an attacker can send a user a message that includes a link preview with an invalid preview link target (for instance “boom” instead of “https://…”) to crash the Teams app for Android. Unfortunately, the app will continue to crash when trying to open the chat or channel with the malicious message.

Positive Security responsibly disclosed its findings to Microsoft on March 10 through its bug bounty program. However, in the time since, the software giant has only patched the IP address leak vulnerability in Teams for Android. Now that Positive Security has publicly disclosed its findings, Microsoft may have to patch the remaining three vulnerabilities even though it told the researchers that they don't pose an immediate threat to its users.

We've also rounded up the best identity theft protection, best firewall and best malware removal software

Via Threatpost

Source Link Microsoft Teams might have a few serious security issues

SHARE:
Tajammul Pangarkar

Tajammul Pangarkar

Tajammul Pangarkar is a CMO at Prudour Pvt Ltd. Tajammul longstanding experience in the fields of mobile technology and industry research is often reflected in his insightful body of work. His interest lies in understanding tech trends, dissecting mobile applications, and raising general awareness of technical know-how. He frequently contributes to numerous industry-specific magazines and forums. When he’s not ruminating about various happenings in the tech world, he can usually be found indulging in his next favorite interest - table tennis.

Latest from Author