430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Three trivial bugs in Microsoft Teams Software remain unpatched

Researchers disclosed four vulnerabilities in the Teams business communication software, but Microsoft will not address three of them. Researchers from cybersecurity firm Positive Security discovered four vulnerabilities in the Teams business communication software that could allow accessing internal Microsoft services, spoofing the link preview, and, for Android users, leaking their IP address, and triggering a […]

Microsoft Teams

Researchers disclosed four vulnerabilities in the Teams business communication software, but Microsoft will not address three of them.

Researchers from cybersecurity firm Positive Security discovered four vulnerabilities in the Teams business communication software that could allow accessing internal Microsoft services, spoofing the link preview, and, for Android users, leaking their IP address, and triggering a DoS condition on their Teams app/channels.

The vulnerabilities reside in the Microsoft Team link preview feature, experts reported them to Microsoft in March 2021, but the company will not fix three of them.

Microsoft only addressed a vulnerability that can lead to the leak of the IP address from Android devices, the company also explained that it will address the DoS flaw in a future version of the software.

The first bug is a server-side request forgery (SSRF) issue vulnerability in the endpoint “/urlp/v1/url/info,” an attacker can exploit it to reconnaissance of Microsoft’s local network.

“The URL is not filtered, leading to a limited SSRF (response time, code, size and open graph data leaked), which can be used for internal portscanning and sending HTTP-based exploits to the discovered web services.” reads the analysis of the experts.

A closer look at the link preview revealed a spoofing vulnerability, experts noticed that the preview link target can be set to any location independent of the main link, preview image and description, the displayed hostname or on-hover text.

This means that when clicking the preview, a different link is opened than what was expected by the user, exposing the recipient to phishing attacks.

The third flaw discovered by the researchers is a DoS vulnerability that affects the Android version of the popular software. The vulnerability can be triggered by sending a message with a specially crafted link preview containing an invalid target instead of a legitimate URL, this will cause the crash of the app.

The fourth vulnerability is an IP address leak as reported by the researchers:

“When creating a link preview, the backend fetches the referenced preview thumbnail and makes it available from a Microsoft domain. This ensures that the IP address and user agent data is not leaked when the receiving client loads the thumbnail. However, by intercepting the sending of the message, it’s possible to point the thumbnail URL to a non-Microsoft domain.” reads the analysis. “The Android client does not check the domain/does not have a CSP restricting the allowed domains and loads the thumbnail image from any domain.”

The experts pointed out that the flaws have a limited impact, but they expressed their surprise in finding so trivial attack vectors unpatched.

“While the discovered vulnerabilities have a limited impact, it’s surprising both that such simple attack vectors have seemingly not been tested for before, and that Microsoft does not have the willingness or resources to protect their users from them.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Teams)

[adrotate banner=”5″]

[adrotate banner=”13″]