HomeWinBuzzer NewsMicrosoft Teams @Mentions Flaw Could Allow Attacker App Access

Microsoft Teams @Mentions Flaw Could Allow Attacker App Access

A recently found Microsoft Teams wormable exploit would allow a threat actor to see chats without needing user interaction to execute.

-

Teams has a security flaw that could give personal details of users to a threat actor.

Concerningly, the vulnerability would give hackers visibility of end user accounts simply by seeing a message. In other words, no interaction by the user is needed to enact an exploit of the flaw.

According to security researcher Oskars Vegeris, this is a wormable exploit in Microsoft Teams could target a vulnerability. It would access the client chat and view the messes resulting in a “complete loss of confidentiality and integrity for end-users — access to private chats, files, internal network, private keys and personal data outside MS Teams.”

Vegeris points to a vulnerability in a cross-site scripting (XSS) and a JavaScript RCE payload component in Microsoft Teams. This flaw is found in the @mentions feature of the service. If an attacker exploits this security hole, they could gain access to other parts of the app.

Because it affects a universal Teams feature, the wormable exploit is found across platforms, so Windows, Linux, Mac, and the web versions.

Fix

This is clearly a problematic vulnerability but Vegeris says he originally found the flaw in August. He reported it to Microsoft at the time. During an October round of updates, the company issued a patch for this vulnerability.

That means it is worthwhile ensuring your Teams apps are up to date.

Interestingly, the researcher also found a wormable vulnerability in Microsoft Teams rival Slack. He says this flaw would allow a threat actor to control the Slack app by sending a malicious file to another user. However, unlike the Teams flaw this would require user interaction.

Last Updated on December 12, 2020 1:41 pm CET

Luke Jones
Luke Jones
Luke has been writing about Microsoft and the wider tech industry for over 10 years. With a degree in creative and professional writing, Luke looks for the interesting spin when covering AI, Windows, Xbox, and more.

Recent News

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x
Mastodon