According to Microsoft ,Three of the four security flaws discovered in Microsoft’s Teams business communication platform earlier this March will not be fixed or will be pushed out at a later date.
Positive Security, a Berlin-based cybersecurity firm, discovered that the link preview feature’s implementation was vulnerable to a number of issues that could “allow accessing internal Microsoft services, spoofing the link preview, and, for Android users, leaking their IP address, and DoS’ing their Teams app/channels.”
Microsoft addressed only one of the four vulnerabilities, which allowed attackers to gain access to targets’ IP addresses if they used Android devices. Concerning the other bugs, Microsoft stated that the SSRF would not be fixed in the current version, but that a fix for the DoS would be considered in a future release.
The company’s decision not to address the spoofing bug, which could be use in phishing campaigns, is explained in part by Teams’ use of Defender for Office 365 Safe Links protection to protect users from URL-based phishing attacks since July.
While Safe Links protection is available to all Teams users and works for links shared across conversations, group chats, and Teams channels, it must be enabled in the Microsoft 365 Defender portal by creating a Safe Links policy.
The DoS vulnerability, which affects the Android version of Teams, can cause the app to crash by sending a message with a specially crafted link preview that contains an invalid target instead of a legitimate URL. The final issue is an IP address leak, which also affects the Android app.
Positive Security claims that by intercepting messages containing a link preview and redirecting the thumbnail URL to a non-Microsoft domain, it is possible to gain access to a user’s IP address and user agent data.
Finally Positive Security co-founder Fabian Bräunlein concluded that ,” “it’s surprising both that such simple attack vectors have seemingly not been tested for before, and that Microsoft does not have the willingness or resources to protect their users from them.”