Researchers Discover Four New Security Flaws Affecting Microsoft Teams

Security researchers have revealed several new security flaws impacting the “link preview” feature in Microsoft Teams. The cybersecurity company Positive Security discovered four separate vulnerabilities in the feature back in March 2021, which can be exploited by attackers to leak victims’ IP addresses, spoof link previews, and launch denial of service (DoS) attacks targeting Android users.

According to a report from Positive Security, the security researchers found the vulnerabilities while trying to bypass the same-origin policy (SOP) in Microsoft Teams and Electron. The same-origin policy is a browser security feature that aims to control access to data between websites and web applications. Interestingly, the researchers managed to abuse the link preview feature in order to bypass the SOP in Microsoft Teams.

“In Teams, this preview is actually generated server-side by Microsoft (which is possible due to the lack of E2E encryption), so the feature cannot be abused to leak information from the user’s local network (e.g. the Node.js debug server),” explained Positive Security’s co-founder Fabian Bräunlein. “However, while investigating this feature, I stumbled upon a few unrelated vulnerabilities in its implementation.”

Fix to address bug that lets attackers get access to victims’ IP address in Microsoft Teams for Android

Fortunately, Microsoft has already delivered a fix to address the bug that lets attackers get access to victims’ IP addresses in Teams for Android, but it has yet to patch all the other vulnerabilities. In a statement shared with Positive Security, Microsoft said that the URL spoofing issue won’t be an immediate risk to its users.

“MSRC has investigated this issue and concluded that this does not pose an immediate threat that requires urgent attention because once the user clicks on the URL, they would have to go to that malicious URL which would be a giveaway that it’s not the one the user was expecting,” the company explained.

It is important to note that Microsoft Teams added a Safe Links protection feature back in July that helps to protect users from malicious URL-based phishing attacks. Meanwhile, IT admins can turn it on manually by configuring a Safe Links policy in the Microsoft 365 Defender portal.