A researcher at security firm Tenable has found a vulnerability in Microsoft’s Teams application that could allow an attacker to take control of a user’s account. This could grant the attacker access to the victim’s chat history, the ability to read and send emails on the victim’s behalf, and access files in their One drive storage.
The vulnerability actually came through the Power Apps service Microsoft offers to businesses. This allows them to create business-specific use cases on Microsoft’s products, like Teams, Excel and other apps
Attackers could exploit the lack of URL verification in PowerApps to exploit a company’s users, which can be catastrophic The severity of this vulnerability is amplified by the permissions granted to Microsoft Power Apps within Microsoft Teams
The flaw was what is called a “server-side vulnerability“. These are vulnerabilities that exist on the servers that power Microsoft’s apps, software and services. Such vulnerabilities can be fixed by companies without user action, but system administrators may still want to recheck their systems for possible exploits.