Security vulnerabilities in Microsoft Teams could allow an attacker to spoof link previews, leak IP addresses, and even access internal services.
A total of four vulnerabilities in the video conferencing app were discovered by a team of security researchers They stumbled upon the issues while researching Team’s URL preview feature for another, unrelated exploit.
The four findings are a server-side request forgery (SSRF) vulnerability and a URL preview spoofing bug in the web and desktop application, and for Android users, an IP address leak vulnerability, and a denial-of-service (DoS) vulnerability.
With Microsoft Teams URL preview feature, the URL is not filtered, which could lead to a limited SSRF that could leak information such as the response time, code, size, and open graph data, this could be used for internal port scanning and sending HTTP-based exploits to the discovered web services.
The team also explained that the preview link target can be set to any location independent of the main link, preview image and description, the displayed hostname, or hover text, could enable a malicious actor to direct the user to a fraudulent website under the guise of the URL displayed on the preview, opening the door to a host of activities.
Issues with Android Platform
The researchers also found two security flaws which specifically affected Android users. An IP address leak flaw in Android which could, as the name suggests, expose the IP details of the user.
When creating a link preview, the backend fetches the referenced preview thumbnail and makes it available from a Microsoft domain. This ensures that the IP address and user agent data is not leaked when the receiving client loads the thumbnail. By intercepting the sending of the message, it’s possible to point the thumbnail URL to a non-Microsoft domain. The Android client does not check the domain/does not have a CSP restricting the allowed domains and loads the thumbnail image from any domain.
Next, there is a DoS attack vulnerability in the Android version of Teams which could render both the app certain channels unusable with a specifically crafted message.
Microsoft has so far only patched one of the vulnerabilities, the IP address issue in Android. Unpatched vulnerabilities will be annoying to cyber defenders and an open issue that could be exploited. Open only valid links and delete whichever found to be malicious.