Positive Security security experts have shared worrying reports about Microsoft’s Teams conference application. According to them, client applications for Windows and Android contain four separate vulnerabilities that can be exploited to spoof links, leak IP addresses, and even access Microsoft’s internal services.
Two of these vulnerabilities can be exploited to allow for server spoofing (SSRF) and spoofing (masking communication from an unknown source as communication from a known, trusted source). The other two only apply to Android smartphones and can be exploited to leak IP addresses.
Holes like in a colander
Experts encountered these vulnerabilities during finding a way around the Same-Origin Policy (SOP; Same Origin Policy) in Teams and Electron applications. According to this policy, a web browser allows scripts contained on one web page to access data on another web page only if both pages have the same origin.
Origin is defined as a combination of URI scheme, host name, and port number. This policy prevents malicious script on one page from gaining access to sensitive data on another Web page through its Document Object Model (DOM).
In examining this sensitive issue, security experts have found that they can bypass SOP in Teams by abusing the link preview feature. Positive Security founder Fabian Bräunlein also discovered other unrelated vulnerabilities in the implementation of this feature.
Two of the four bugs found in Microsoft Teams can be used on any device – they enable server-side spoofing (SSRF) and spoofing. Bugs can be used to increase the effectiveness of phishing attacks or to hide malicious links. The other two security vulnerabilities only affect the Android application and can be exploited to leak IP addresses and carry out a Denial of Service (DoS) attack.
Microsoft did not resolve the errors
The biggest concern is the DoS bug, as an attacker could send a message to the user containing a preview of the link with an invalid target and causing Teams to crash. When you try to open a chat or channel with a malicious message, the application crashes repeatedly.
Positive Security informed Microsoft of its findings through the Error Reward Program as early as March 10, 2021. Over the following days, communication took place between the two companies, which resulted in Microsoft closing out tickets without issuing corrections, stating “This issue does not require an immediate security fix”.
Since then, the Redmond giant only fixed the IP address leak vulnerability in Teams for Android. Now that this worrying information is being published, Microsoft should step up its efforts and come up with a quick and effective fix.
“Although the vulnerabilities discovered have a limited impact, it is surprising that such simple attack vectors have apparently not been tested before and that Microsoft is unwilling or does not have the resources to protect its users from them.” concludes Fabian Bräunlein.