Researchers from Positive Security have outlined four bugs in the Microsoft Teams platform that made it vulnerable since March. The bugs allowed attackers to spoof links, which opened the door to Denial of Service (DoS) attacks for Android users. Two of the four bugs discovered affected Microsoft Teams being used on any device and allow for server-side request forgery (SSRF) and spoofing, researchers said. The other two, named “IP Address Leak” and “Denial of Service aka Message of Death” by researchers, affect only Android users. The SSRF vulnerability allowed researchers to leak information from Microsoft’s local network and was discovered when they tested the /urlp/v1/url/info endpoint for SSRF. Attackers can leverage the spoofing bug to ramp up phishing attacks or hide malicious links in content that is sent to users. To abuse the Android DoS bug, threat actors can send messages to someone using Teams through the Android app that includes a link preview with an invalid preview link target. This will crash the app when the user tries to view the channel. Finally, attackers can use the IP address leak bug to intercept messages that include a link preview to point the thumbnail URL to a non-Microsoft domain.
Analyst Notes
Positive Security reached out to Microsoft with its research in March and finally got the go-ahead to release its findings. Microsoft declined to patch the DoS bug, the SSRF bug, and the IP address bug in the beginning, stating that none of the issues were critical enough to warrant being fixed immediately. After a retest of the bugs on December 15th, it appeared to Positive Security that all the issues have been patched.
Four Bugs in Microsoft Teams Left Platform Vulnerable Since March
