comscore Warning! Your Microsoft Teams account could be at risk
News

Warning! Your Microsoft Teams account could be at risk

These vulnerabilities were spotted by researchers at Positive Security while looking for a way to bypass the Same-Origin Policy (SOP) in Teams and Electron, the official blog post notes.

MS Teams

Security researchers have a warning for Microsoft Teams users out there. Researchers have discovered four vulnerabilities in Microsoft’s video calling platform that could be exploited by an attacker to spoof link previews, leak IP addresses and also access the company’s internal services. Also Read - Microsoft Teams brings end-to-end encryption to one-on-one calls

These vulnerabilities were spotted by researchers at Positive Security while looking for a way to bypass the Same-Origin Policy (SOP) in Teams and Electron, the official blog post notes. Also Read - Microsoft rolls out Teams update on Android to fix 911 calling bug

Microsoft Teams vulnerabilities

As per the blog post, researchers could bypass the SOP in MS Teams by abusing the link preview feature by allowing “the client generate a link preview for the target page” and using “the summary text or perform OCR on the preview image to extract information”. Also Read - Microsoft Teams to make user experience simpler with this update: Check details

During this process, the Positive Security co-founder Fabian Bräunlein discovered other vulnerabilities in the feature’s implementation. Among all the vulnerabilities, two could allow server-side request forgery (SSRF) and spoofing. The other two vulnerabilities affected only Android smartphones and could be exploited to leak IP addresses and access Denial of Service (DOS). The blog also states that by exploiting the SSRF vulnerability, researchers could leak information from Microsoft’s local network.

Among the vulnerabilities, the DOS bug appears to be worrying as this allows an attacker to send messages with a link preview with an invalid preview link target such as boom instead of http://. This would crash the Teams app on Android devices every time a user tries to log in.

What about the fix?

Positive Security disclosed the findings to Microsoft in March through its bug bounty program but the tech giant has only patched the IP address leak vulnerability in Teams for Android. Since the findings have been disclosed publicly now, Microsoft will need to patch all other vulnerabilities. The tech giant hasn’t revealed any details on the matter yet.

For the latest tech news across the world, latest PC and Mobile games, tips & tricks, top-notch gadget reviews of most exciting releases follow BGR India’s Facebook, Twitter, subscribe our YouTube Channel. Also follow us on  Facebook Messenger for latest updates.
  • Published Date: December 23, 2021 3:02 PM IST



new arrivals in india

Best Sellers