Microsoft Teams has a security flaw that could give personal details of users to a threat actor.

Concerningly, the vulnerability would give hackers visibility of end user accounts simply by seeing a message. In other words, no interaction by the user is needed to enact an exploit of the flaw.

According to security researcher Oskars Vegeris, this is a wormable exploit in Microsoft Teams could target a vulnerability. It would access the client chat and view the messes resulting in a “complete loss of confidentiality and integrity for end-users — access to private chats, files, internal network, private keys and personal data outside MS Teams.”

Vegeris points to a vulnerability in a cross-site scripting (XSS) and a JavaScript RCE payload component in Microsoft Teams. This flaw is found in the @mentions feature of the service. If an attacker exploits this security hole, they could gain access to other parts of the app.

Because it affects a universal Teams feature, the wormable exploit is found across platforms, so Windows, Linux, Mac, and the web versions.


This is clearly a problematic vulnerability but Vegeris says he originally found the flaw in August. He reported it to Microsoft at the time. During an October round of updates, the company issued a patch for this vulnerability.

That means it is worthwhile ensuring your Teams apps are up to date.

Interestingly, the researcher also found a wormable vulnerability in Microsoft Teams rival Slack. He says this flaw would allow a threat actor to control the Slack app by sending a malicious file to another user. However, unlike the Teams flaw this would require user interaction.