In early March this year, the Berlin-based security company Positive Security discovered bugs in the Microsoft Teams, which is generally used for internal communications in businesses. All of the flaws were in just one single feature of the Teams: link previews.
One fixed three left
The company has shared the details of the possible threats with Microsoft. However, the tech giant fixed only one of the flaws and left the remaining three unpatched. In addition, Microsoft stated that they are not patching these three flaws just because they don’t think those flaws are posing an immediate threat that requires urgent attention. After giving Microsoft enough time, like 9 months, Positive Security has decided to disclose the flaws.
The four attack vectors are listed below:
- Server-Side Request Forgery: While this flaw does not enable attackers to leak information directly from the user’s local network, it can theoretically leak information from Microsoft’s local network. This limited SSRF provides response time, code, size, and open graph data which can be used for internal port scanning and sending HTTP-based exploits to the discovered web services.
- Spoofing: The text, URL, preview image, hover text, and the displayed hostname can be changed by attackers. That leads users to click a “trusted” link and go to a completely different website, which might be malicious.
- IP Address Leak: This flaw allows leaking a user’s IP address and user agent data by sending a message with a specially crafted link preview on Android Teams app. This is the only issue that Microsoft has fixed.
- Denial of Service: If the preview of a link is invalid, the Android app simply crashes. And the app keeps crashing when the user tries to open the chat or channel with an invalid link, making the chat or channel unusable for Android Teams app users.
Microsoft did not respond to Positive Security’s action yet.