Security researchers have discovered four vulnerabilities in Microsoft Teams. Microsoft Teams software that can be exploited by any attacker to expose IP addresses, fake link previews , and even gain access to the company’s internal resources.
TechRadar informs us that researchers at Positive Security came across these new findings after they “stumbled on” these in their quest to bypass their Same-Origin Policy (SOP) in Electron and Teams. SOP is an encryption standard found in all browsers and blocks websites from attacking each the other.
In their research into the issue, researchers found that they were able get around the SOP for Microsoft’s video conferencing software through Link preview features that is available in Teams.
They managed to accomplish this by allowing the user to create an image preview of the link on the page they want to visit and then using optical character recognition (OCR) or summary text displayed on the preview image to gather details. Additionally, during the procedure the cofounder and founder Positive Security, Fabian Braunlein Positive Security, Fabian Braunlein found other security issues during the development this feature.Other security concerns are also that are present in Teams
The bugs Braunlein discovered in Teams could be exploitable on any device. They also permit Server-side Request Forgery (SSRF) or spoofing. On the other hand the two other bugs have an effect on Android smartphones. They can be exploited to cause Denial of Service (DOS) as well as reveal IP addresses.
Researchers were able get data from the local network using this SSRF vulnerability. As of now, this fakery bug could be exploited to boost the effectiveness of phishing attack or disguise malicious hyperlinks.
The DOS bug can be a source of anxiety because an attacker could send an individual a message that contains a link preview with a bogus preview link to the target (for example). If you choose “boom” in place of “https ://…”) that will definitely stop the Teams application running on Android.
The application will continue to crash. slowing down if you attempt to connect to the chat channel using the fake message.
Positive Security took up the responsibility of revealing its knowledge to Microsoft through the bug bounty program, which began in March 2021. However the tech giant could only resolve the leak of IP addresses security problem for Teams for Android in the year 2021.
Positive Security has finally disclosed its findings publically, meaning that Microsoft must address the other three security vulnerabilities even when the software giant told the researchers that the vulnerabilities don’t present a threat immediately for its users.