1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • Microsoft Teams might have a few serious security issues

    From TechnologyDaily@1337:1/100 to All on Thu Dec 23 02:15:04 2021
    Microsoft Teams might have a few serious security issues

    Date:
    Thu, 23 Dec 2021 02:00:41 +0000

    Description:
    Security researchers have discovered four vulnerabilities in Microsoft's link preview feature in Teams.

    FULL STORY ======================================================================

    Security researchers have discovered four separate vulnerabilities in Microsoft Teams that could be exploited by an attacker to spoof link
    previews, leak IP addresses and even access the software giant's internal services.

    These discoveries were made by researchers at Positive Security who stumbled upon them while looking for a way to bypass the the Same-Origin Policy (SOP) in Teams and Electron according to a new blog post . For those unfamiliar,
    SOP is a security mechanism found in browsers that helps stop websites from attacking one another.

    During their investigation into the matter, the researchers found that they could bypass the SOP in Teams by abusing the link preview feature in Microsoft's video conferencing software by allowing the client to generate a link preview for the target page and then using either summary text or
    optical character recognition ( OCR ) on the preview image to extract information.

    However, while doing this, Positive Security co-founder Fabian Brunlein found other unrelated vulnerabilities in the feature's implementation. Microsoft Teams vulnerabilities

    Of the four bugs Brunlein found in Teams, two can be used on any device and allow for server-side request forgery (SSRF) and spoofing while the other two only affect Android smartphones and can be exploited to leak IP addresses and achieve Denial of Service (DOS).

    By exploiting the SSRF vulnerability, the researchers were able to leak information from Microsoft's local network. Meanwhile the spoofing bug can be used to improve the effectiveness of phishing attacks or to hide malicious links .

    The DOS bug is particularly worrying as an attacker can send a user a message that includes a link preview with an invalid preview link target (for
    instance boom instead of https://...) to crash the Teams app for Android. Unfortunately, the app will continue to crash when trying to open the chat or channel with the malicious message.

    Positive Security responsibly disclosed its findings to Microsoft on March 10 through its bug bounty program . However, in the time since, the software giant has only patched the IP address leak vulnerability in Teams for
    Android. Now that Positive Security has publicly disclosed its findings, Microsoft may have to patch the remaining three vulnerabilities even though
    it told the researchers that they don't pose an immediate threat to its
    users.

    We've also rounded up the best identity theft protection , best firewall and best malware removal software

    Via Threatpost



    ======================================================================
    Link to news story: https://www.techradar.com/news/microsoft-teams-might-have-a-few-serious-securi ty-issues/


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)