Researchers Discover Four New Security Flaws Affecting Microsoft Teams
Security researchers have revealed several new security flaws impacting the “link preview” feature in Microsoft Teams. The cybersecurity company Positive Security discovered four separate vulnerabilities in the feature back in March 2021, which can be exploited by attackers to leak victims’ IP addresses, spoof link previews, and launch denial of service (DoS) attacks targeting Android users.
According to a report from Positive Security, the security researchers found the vulnerabilities while trying to bypass the same-origin policy (SOP) in Microsoft Teams and Electron. The same-origin policy is a browser security feature that aims to control access to data between websites and web applications. Interestingly, the researchers managed to abuse the link preview feature in order to bypass the SOP in Microsoft Teams.
“In Teams, this preview is actually generated server-side by Microsoft (which is possible due to the lack of E2E encryption), so the feature cannot be abused to leak information from the user’s local network (e.g. the Node.js debug server),” explained Positive Security’s co-founder Fabian Bräunlein. “However, while investigating this feature, I stumbled upon a few unrelated vulnerabilities in its implementation.”
Fix to address bug that lets attackers get access to victims’ IP address in Microsoft Teams for Android
Fortunately, Microsoft has already delivered a fix to address the bug that lets attackers get access to victims’ IP addresses in Teams for Android, but it has yet to patch all the other vulnerabilities. In a statement shared with Positive Security, Microsoft said that the URL spoofing issue won’t be an immediate risk to its users.
“MSRC has investigated this issue and concluded that this does not pose an immediate threat that requires urgent attention because once the user clicks on the URL, they would have to go to that malicious URL which would be a giveaway that it’s not the one the user was expecting,” the company explained.
It is important to note that Microsoft Teams added a Safe Links protection feature back in July that helps to protect users from malicious URL-based phishing attacks. Meanwhile, IT admins can turn it on manually by configuring a Safe Links policy in the Microsoft 365 Defender portal.
More in Microsoft 365
Microsoft Teams is Now Available in the Microsoft Store for Windows PCs
May 17, 2022 | Rabia Noureen
Microsoft Teams Adds Viva Goals Module Powered By Ally.io OKR
May 16, 2022 | Rabia Noureen
Microsoft Advises IT Admins to Restrict Access to Leaked One Outlook Client
May 10, 2022 | Rabia Noureen
Getting Started with Microsoft 365 Business Premium
May 10, 2022 | Dean Ellerby
Microsoft's New One Outlook App Gets Closer to Official Launch
May 6, 2022 | Rabia Noureen
Outlook on the Web to Get a New Bookings Experience Next Month
May 6, 2022 | Rabia Noureen
Most popular on petri