silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,148
Four vulnerabilities in Microsoft Teams, unpatched since March, allowed link spoofing of URLs and opened the door to DoS attacks against Android users, researchers said.
Researchers from Positive Security discovered four bugs in the feature earlier this year and told Microsoft about the issues on March 10. So far, only one of the bugs—a bug allowing attackers to leak Android IP addresses—appears to have been patched by the company, researcher Fabian Bräunlein said in a blog post published Wednesday.
Positive Security researchers “stumbled upon” the vulnerabilities when they were looking for a way to bypass Teams’ Electron’s Same-Origin Policy (SOP), he wrote in the report. SOP is security mechanism of browsers that aims to prevent websites from attacking each other.
Researchers discovered that one potential way to bypass the SOP in Teams is to abuse the link preview feature by letting the client generate a link preview for the target page, and then using the summary text or performing optical character recognition (OCR) on the preview image to extract information.
Four Bugs in Microsoft Teams Left Platform Vulnerable Since March
Attackers exploiting bugs in the “link preview” feature in Microsoft Teams could abuse the flaws to spoof links, leak an Android user’s IP address and launch a DoS attack.
threatpost.com