HomeWinBuzzer NewsMicrosoft Teams @Mentions Flaw Could Allow Attacker App Access

Microsoft Teams @Mentions Flaw Could Allow Attacker App Access

A recently found Microsoft Teams wormable exploit would allow a threat actor to see chats without needing user interaction to execute.

-

Teams has a security flaw that could give personal details of users to a threat actor.

Concerningly, the vulnerability would give hackers visibility of end user accounts simply by seeing a message. In other words, no interaction by the user is needed to enact an exploit of the flaw.

According to security researcher Oskars Vegeris, this is a wormable exploit in could target a vulnerability. It would access the client chat and view the messes resulting in a “complete loss of confidentiality and integrity for end-users — access to private chats, files, internal network, private keys and personal data outside MS Teams.”

Vegeris points to a vulnerability in a cross-site scripting (XSS) and a JavaScript RCE payload component in Microsoft Teams. This flaw is found in the @mentions feature of the service. If an attacker exploits this security hole, they could gain access to other parts of the app.

Because it affects a universal Teams feature, the wormable exploit is found across platforms, so Windows, Linux, Mac, and the web versions.

Fix

This is clearly a problematic vulnerability but Vegeris says he originally found the flaw in August. He reported it to Microsoft at the time. During an October round of updates, the company issued a patch for this vulnerability.

That means it is worthwhile ensuring your Teams apps are up to date.

Interestingly, the researcher also found a wormable vulnerability in Microsoft Teams rival . He says this flaw would allow a threat actor to control the Slack app by sending a malicious file to another user. However, unlike the Teams flaw this would require user interaction.

Last Updated on December 12, 2020 1:41 pm CET by Markus Kasanmascheff

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News