Security researchers have found four different vulnerabilities within the Microsoft Teams software that can be used by any attacker to leak IP addresses, spoof link previews and even access the company’s internal services. TechRadar reports that researchers at Positive Security made these discoveries as they “stumbled upon” them while trying to bypass the Same-Origin Policy (SOP) in Electron and Teams. SOP is a security protocol found in all browsers that stops websites from attacking each other.
During their investigation into the matter, the researchers discovered that they were able to bypass the SOP in Microsoft’s video conferencing software by exploiting the link preview feature in Teams. They were able to do it by allowing the consumer to set up a link preview for the target page and then using either optical character recognition (OCR) or summary text on the preview image to obtain information. Moreover, while performing this action, co-founder of Positive Security, Fabian Bräunlein, discovered other unrelated security issues in the implementation of the feature.
Other security issues present in Teams
Two of the four bugs that Bräunlein found in Teams can be applicable on any device and can also allow for server-side request forgery (SSRF) and spoofing. On the other hand, the other two bugs only affect Android smartphones and can be abused to achieve Denial of Service (DOS) and to leak IP addresses.
The researchers were able to extract information from the tech giant’s local network by using the SSRF vulnerability. In the meantime, this spoofing bug can be exploited to increase the impact of phishing attacks or to disguise malicious links.
The DOS bug keeps you bothered as an attacker can send a user a message that will have a link preview with an unknown preview link target (for example “boom” instead of “https://…”) that will certainly crash the Teams app running in Android. The app will keep on crashing if you try to access the chat or channel with the malicious message.
Positive Security took up the responsibility to disclose its knowledge to Microsoft through its bug bounty program in March 2021. Although, the tech giant was only able to fix the IP address leak security issue in Teams for Android by that time.
Positive Security has finally disclosed its findings publicly so, Microsoft will have to fix the rest of the three security issues even though the software giant informed the researchers that these vulnerabilities don’t pose an immediate threat to its users.