Researchers Discover Four New Security Flaws Affecting Microsoft Teams
Security researchers have revealed several new security flaws impacting the “link preview” feature in Microsoft Teams. The cybersecurity company Positive Security discovered four separate vulnerabilities in the feature back in March 2021, which can be exploited by attackers to leak victims’ IP addresses, spoof link previews, and launch denial of service (DoS) attacks targeting Android users.
According to a report from Positive Security, the security researchers found the vulnerabilities while trying to bypass the same-origin policy (SOP) in Microsoft Teams and Electron. The same-origin policy is a browser security feature that aims to control access to data between websites and web applications. Interestingly, the researchers managed to abuse the link preview feature in order to bypass the SOP in Microsoft Teams.
“In Teams, this preview is actually generated server-side by Microsoft (which is possible due to the lack of E2E encryption), so the feature cannot be abused to leak information from the user’s local network (e.g. the Node.js debug server),” explained Positive Security’s co-founder Fabian Bräunlein. “However, while investigating this feature, I stumbled upon a few unrelated vulnerabilities in its implementation.”
Fix to address bug that lets attackers get access to victims’ IP address in Microsoft Teams for Android
Fortunately, Microsoft has already delivered a fix to address the bug that lets attackers get access to victims’ IP addresses in Teams for Android, but it has yet to patch all the other vulnerabilities. In a statement shared with Positive Security, Microsoft said that the URL spoofing issue won’t be an immediate risk to its users.
“MSRC has investigated this issue and concluded that this does not pose an immediate threat that requires urgent attention because once the user clicks on the URL, they would have to go to that malicious URL which would be a giveaway that it’s not the one the user was expecting,” the company explained.
It is important to note that Microsoft Teams added a Safe Links protection feature back in July that helps to protect users from malicious URL-based phishing attacks. Meanwhile, IT admins can turn it on manually by configuring a Safe Links policy in the Microsoft 365 Defender portal.
More in Microsoft 365
Microsoft Teams Introduces Communities for Consumers and Small Businesses
Dec 7, 2022 | Rabia Noureen
Microsoft Teams Lets Users Set Adobe Acrobat As the Default PDF Viewer
Dec 6, 2022 | Rabia Noureen
Microsoft Syntex to Launch New PAYG Backup and Restore Solution for Exchange, OneDrive, and SharePoint
Dec 2, 2022 | Rabia Noureen
Microsoft Teams Adds Scheduled Messages and Other Chat Features
Nov 30, 2022 | Rabia Noureen
M365 Changelog: (Updated) Microsoft Teams - Automatically end stale Teams meetings
Nov 24, 2022 | Rabia Noureen
M365 Changelog: (Updated) Stream on SharePoint: Inline playback of videos in Hero web part
Nov 23, 2022 | Rabia Noureen
Most popular on petri