UPDATE
Four vulnerabilities in Microsoft Teams, unpatched since March, allowed link spoofing of URLs and opened the door to DoS attacks against Android users, researchers said.
Researchers from Positive Security discovered four bugs in the feature earlier this year and told Microsoft about the issues on March 10. So far, only one of the bugs—a bug allowing attackers to leak Android IP addresses—appears to have been patched by the company, researcher Fabian Bräunlein said in a blog post published Wednesday.
In a statement to Threatpost, Microsoft said the reported bugs do not pose an immediate threat to users.
“We’ve investigated all four reports and have concluded that they do not pose immediate threats requiring a security fix. We’ve received similar reports in the past and have made several recent improvements to the handling of data and security in general. These changes block the reproduction of several of these reports, including the reported IP address leak on Android issue,” according to Microsoft.
Microsoft Teams is a collaboration tool that helps people working in different geographic locations work together online. For this reason, Teams usage of the platform has risen during the pandemic, making it an increasingly attractive target for threat actors.
Positive Security researchers “stumbled upon” the vulnerabilities when they were looking for a way to bypass Teams’ Electron’s Same-Origin Policy (SOP), he wrote in the report. SOP is security mechanism of browsers that aims to prevent websites from attacking each other.
Researchers discovered that one potential way to bypass the SOP in Teams is to abuse the link preview feature by letting the client generate a link preview for the target page, and then using the summary text or performing optical character recognition (OCR) on the preview image to extract information.
“In Teams, this preview is actually generated server-side by Microsoft,” something that’s possible because there is no end-to-end encryption present, Bräunlein explained. This means that the feature cannot be abused to leak information from the user’s local network—e.g., the Node.js debug server, he said.
“However, while investigating this feature, I stumbled upon a few unrelated vulnerabilities in its implementation,” Bräunlein said.
Bug Breakdown
Two of the four bugs discovered affected Microsoft Teams being used on any device and allow for server-side request forgery (SSRF) and spoofing, researchers said. The other two—dubbed “IP Address Leak” and “Denial of Service aka Message of Death” by researchers—affect only Android users.
The SSRF vulnerability allowed researchers to leak information from Microsoft’s local network and was discovered when Bräunlein tested the /urlp/v1/url/info endpoint for SSRF, he said.
“The URL is not filtered, leading to a limited SSRF (response time, code, size and open graph data leaked), which can be used for internal portscanning and sending HTTP-based exploits to the discovered web services,” Bräunlein explained.
Attackers can use the spoofing bug to beef up phishing attacks or hide malicious links in content sent to users, he said. This can be done by setting the preview link target “to any location independent of the main link, preview image and description, the displayed hostname or onhover text,” according to the post.
To abuse the Android DoS bug, a threat actor can send a message to someone using Teams via its Android app that includes a link preview with an invalid preview link target. This will crash the app continuously when the user tries to open the chat/channel with the malicious message, basically blocking users out of the chat or channel, Bräunlein explained.
Finally, attackers can use IP address leak bug—the only one Microsoft appears to have remedied—to intercept messages that include a link preview to point the thumbnail URL to a non-Microsoft domain. This is possible in link previews in which the backend fetches the referenced preview thumbnail and makes it available from a Microsoft domain, Bräunlein said.
“The Android client does not check the domain/does not have a CSP restricting the allowed domains and loads the thumbnail image from any domain,” he explained.
Microsoft’s Response
Microsoft first responded to Positive Security on March 12, two days after its disclosure, and the two parties went “back-and-forth” for a couple of weeks on details of the spoofing issue.
Between March 25 and April 14, the company responded conclusively to each of the individual issues raised and eventually gave researchers the go-ahead to reveal its findings publicly, according to the post. Microsoft Wednesday did not immediately return request for comment on Positive Security’s report. However, on Thursday it issued a statement to Threatpost asserting the issues outlined by Positive Security didn’t require an immediate patch and that steps had been taken to tighten security in Teams.
On March 25, the company decided not to patch the DoS and SSRF bugs, according to Bräunlein. Microsoft said it determined that the DoS bug “does not require immediate security service” because it is of “low severity for temporary DoS that requires restart of application,” according to the post. Microsoft added that it would consider fixing the issue in a later version of the product.
In terms of the SSRF bug, Microsoft gave no reasoning for closing the case without a patch, saying only that the company “will not be fixing this vulnerability in the current version,” according to Positive Security.
Microsoft also declined to patch the Android IP address leak on April 4, determining that the issue “does not pose an immediate threat that requires urgent attention due to the general data sensitivity of the IP address data.”
The company did, however, share the report with the team responsible for the product, and a retest of all the bugs that Positive Security conducted on Dec. 15 demonstrated that the issue appears to have been patched, Bräunlein wrote.
On April 14, Microsoft also declined to address the URL spoofing issue, concluding that it also does not pose an immediate threat “because once the user clicks on the URL, they would have to go to that malicious URL which would be a giveaway that it’s not the one the user was expecting,” according to Positive Security.
(This article was updated 12/23/2021 at 9:45 am ET with a comment from Microsoft)