Share this article
Improve this guide
Microsoft still hasn’t fixed four Teams vulnerabilities exploited since March
3 min. read
Updated onOctober 4, 2023
updated onOctober 4, 2023
Share this article
Improve this guide
Read our disclosure page to find out how can you help Windows Report sustain the editorial teamRead more
Key notes
We were just talking about Teams the other day, reporting on howyou might not be able to create new free organization accounts, and Microsoft’s top conferencing app is already back in the spotlight.
And although we feel better when we have to report fixes and improvements, or new features coming to Teams, we have to also let you know about this security risk.
Apparently, security researchers have discovered four separate vulnerabilities within Teams, that could be exploited in order to spoof link previews, leak IP addresses, and even access Microsoft’s internal services.
Four major vulnerabilities are still being exploited in the wild
Experts from Positive Security stumbled upon these vulnerabilities while looking for a way to bypass the Same-Origin Policy (SOP) in Teams and Electron, according to ablog post.
Just in case you aren’t familiar with the term, SOP is a security mechanism found in browsers that helps stop websites from attacking one another.
While investigating this sensitive matter, the researchers found that they could bypass the SOP in Teams by abusing the app’s link preview feature.
This was actually achieved by allowing the client to generate a link preview for the target page and then using either summary text or optical character recognition (OCR) on the preview image to extract information.
Also, while doing this, Positive Security co-founder Fabian Bräunlein discovered other unrelated vulnerabilities in the feature’s implementation as well.
Two of the four nasty bugs found in Microsoft Teams can be used on any device and allow for server-side request forgery (SSRF) and spoofing.
The other two only affect Android smartphones and can be exploited to leak IP addresses and achieve Denial of Service (DOS).
It goes without saying that, by exploiting the SSRF vulnerability, researchers were able to leak information from Microsoft’s local network.
At the same time, the spoofing bug can be used to improve the effectiveness of phishing attacks or to hide malicious links.
The most worrying of them all should definitely be the DOS bug, as an attacker can send a user a message that includes a link preview with an invalid preview link target to crash the Teams app for Android.
Unfortunately, the app will continue to crash when trying to open the chat or channel with the malicious message.
Positive Security did in fact inform Microsoft of its findings on March 10 through its bug bounty program. Since then, the tech giant has only patched the IP address leak vulnerability in Teams for Android.
But now that this disconcerting information is public and the consequences of these vulnerabilities pretty clear, Microsoft will have to step its game up and come up with some quick, effective fixes.
Have you experienced any security issues while using Teams? Share your experience with us in the comments section below.
More about the topics:Microsoft Teams
Alexandru Poloboc
Tech Journalist
With an overpowering desire to always get to the bottom of things and uncover the truth, Alex spent most of his time working as a news reporter, anchor, as well as TV and radio entertainment show host.
A certified gadget freak, he always feels the need to surround himself with next-generation electronics.
When he is not working, he splits his free time between making music, gaming, playing football, basketball and taking his dogs on adventures.
User forum
0 messages
Sort by:LatestOldestMost Votes
Comment*
Name*
Email*
Commenting as.Not you?
Save information for future comments
Comment
Δ
Alexandru Poloboc
Tech Journalist
With a desire to always get to the bottom of things and uncover the truth, Alex spent most of his time working as a news reporter.
