Researchers from cybersecurity firm Positive Security discovered four vulnerabilities in the Teams business communication software that could allow accessing internal Microsoft services, spoofing the link preview, and, for Android users, leaking their IP address, and triggering a DoS condition on their Teams app/channels.
The vulnerabilities reside in the Microsoft Team link preview feature, experts reported them to Microsoft in March 2021, but the company will not fix three of them.
Microsoft only addressed a vulnerability that can lead to the leak of the IP address from Android devices, the company also explained that it will address the DoS flaw in a future version of the software.
The first bug is a server-side request forgery (SSRF) issue vulnerability in the endpoint “/urlp/v1/url/info,” an attacker can exploit it to reconnaissance of Microsoft’s local network.
“The URL is not filtered, leading to a limited SSRF (response time, code, size and open graph data leaked), which can be used for internal portscanning and sending HTTP-based exploits to the discovered web services.” reads the analysis of the experts.
A closer look at the link preview revealed a spoofing vulnerability, experts noticed that the preview link target can be set to any location independent of the main link, preview image and description, the displayed hostname or on-hover text.
This means that when clicking the preview, a different link is opened than what was expected by the user, exposing the recipient to phishing attacks.
The third flaw discovered by the researchers is a DoS vulnerability that affects the Android version of the popular software. The vulnerability can be triggered by sending a message with a specially crafted link preview containing an invalid target instead of a legitimate URL, this will cause the crash of the app.
The fourth vulnerability is an IP address leak as reported by the researchers:
“When creating a link preview, the backend fetches the referenced preview thumbnail and makes it available from a Microsoft domain. This ensures that the IP address and user agent data is not leaked when the receiving client loads the thumbnail. However, by intercepting the sending of the message, it’s possible to point the thumbnail URL to a non-Microsoft domain.” reads the analysis. “The Android client does not check the domain/does not have a CSP restricting the allowed domains and loads the thumbnail image from any domain.”
The experts pointed out that the flaws have a limited impact, but they expressed their surprise in finding so trivial attack vectors unpatched.
“While the discovered vulnerabilities have a limited impact, it’s surprising both that such simple attack vectors have seemingly not been tested for before, and that Microsoft does not have the willingness or resources to protect their users from them.” concludes the report.
(SecurityAffairs – hacking, Microsoft Teams)