Researchers Discover Four New Security Flaws Affecting Microsoft Teams
Security researchers have revealed several new security flaws impacting the “link preview” feature in Microsoft Teams. The cybersecurity company Positive Security discovered four separate vulnerabilities in the feature back in March 2021, which can be exploited by attackers to leak victims’ IP addresses, spoof link previews, and launch denial of service (DoS) attacks targeting Android users.
According to a report from Positive Security, the security researchers found the vulnerabilities while trying to bypass the same-origin policy (SOP) in Microsoft Teams and Electron. The same-origin policy is a browser security feature that aims to control access to data between websites and web applications. Interestingly, the researchers managed to abuse the link preview feature in order to bypass the SOP in Microsoft Teams.
“In Teams, this preview is actually generated server-side by Microsoft (which is possible due to the lack of E2E encryption), so the feature cannot be abused to leak information from the user’s local network (e.g. the Node.js debug server),” explained Positive Security’s co-founder Fabian Bräunlein. “However, while investigating this feature, I stumbled upon a few unrelated vulnerabilities in its implementation.”
Fix to address bug that lets attackers get access to victims’ IP address in Microsoft Teams for Android
Fortunately, Microsoft has already delivered a fix to address the bug that lets attackers get access to victims’ IP addresses in Teams for Android, but it has yet to patch all the other vulnerabilities. In a statement shared with Positive Security, Microsoft said that the URL spoofing issue won’t be an immediate risk to its users.
“MSRC has investigated this issue and concluded that this does not pose an immediate threat that requires urgent attention because once the user clicks on the URL, they would have to go to that malicious URL which would be a giveaway that it’s not the one the user was expecting,” the company explained.
It is important to note that Microsoft Teams added a Safe Links protection feature back in July that helps to protect users from malicious URL-based phishing attacks. Meanwhile, IT admins can turn it on manually by configuring a Safe Links policy in the Microsoft 365 Defender portal.
More in Microsoft 365
Microsoft Delays End of Auto-Renewals of Legacy CSP Subscriptions
Jun 30, 2022 | Rabia Noureen
Microsoft 365 Web Apps Get New Idle Session Timeout Feature to Prevent Data Leaks
Jun 29, 2022 | Rabia Noureen
Microsoft Teams Adds New Web Features for Small Businesses
Jun 28, 2022 | Rabia Noureen
Microsoft Lists Calendar View Gets Color Coding with Conditional Formatting Rules
Jun 22, 2022 | Rabia Noureen
[Updated] Microsoft is Investigating Outage Affecting Teams and Exchange Online
Jun 21, 2022 | Rabia Noureen
Microsoft's Out-Of-Band Patch Fixes Microsoft 365 and Azure AD Sign-In Issues on ARM Devices
Jun 21, 2022 | Rabia Noureen
Most popular on petri