Researchers have discovered at least four different vulnerabilities in the Microsoft Teams link preview feature. However, Microsoft has patched only one of these bugs so far, delaying or denying the patches for the rest.
Microsoft Teams Vulnerabilities Found
Sharing the details in a recent blog post, Positive Security has highlighted the four Microsoft Teams vulnerabilities risking users’ privacy.
Briefly, the first of these vulnerabilities include an SSRF flaw affecting the
/urlp/v1/url/info endpoint. Exploiting this bug could allow internal post scanning and HTTP-based exploits. As stated in the post,
The second was a URL spoofing flaw that could let an adversary send malicious links to the target user while impersonating legit URLs. This flaw potentially contributes to phishing attacks.
The third security bug affected the Microsoft Teams Android app, exploiting which could reveal IP addresses. Regarding this vulnerability, the researchers explained,
When creating a link preview, the backend fetches the referenced preview thumbnail and makes it available from a Microsoft domain. This ensures that the IP address and user agent data is not leaked when the receiving client loads the thumbnail. However, by intercepting the sending of the message, it’s possible to point the thumbnail URL to a non-Microsoft domain. The Android client does not check the domain/does not have a CSP restricting the allowed domains and loads the thumbnail image from any domain.
Then, the last bug also affected Microsoft Teams Android app leading to a denial of service. It only required an adversary to send a link with an invalid preview to the target user. Clicking on this link would crash the app.
Microsoft Patched Only One Bug
The researchers reported these vulnerabilities to Microsoft in March 2021. However, from all the four bugs, Microsoft only patched the Android app’s IP leak flaw, denying the patches for the rest.
Specifically, Microsoft only expressed the possibility of fixing the DoS flaw “in a future version”. Whereas, for the other two bugs, the tech giant simply denied working on them due to their potentially limited exploitability and low risk.
It means that Microsoft Teams users should now remain very careful while opening any web links. Particularly, they need to remain wary of any links received from unsolicited users to avoid any risks.
Let us know your thoughts in the comments.
Last modified: December 24, 2021