All
Technology

There may be some significant security vulnerabilities with Microsoft Teams

By Brodiech Carmichael

Share This Post

While investigating this issue, researchers discovered that the Teams SOP could be circumvented by abusing the link preview feature of Microsoft’s video conferencing software. This allows the client to generate link previews for landing pages, generate summary text or visuals, and extract information using character recognition (OCR) on preview images. But in doing so, Fabian Bräunlein, co-founder of Positive Security, discovered another separate vulnerability in the feature’s implementation.

Security researchers have identified four separate vulnerabilities in Microsoft Teams that attackers could exploit to forge link previews, leak IP addresses, and access internal services of the software giant. I found
These findings were made by Positive Security researchers while looking for ways to bypass the Same Origin Policy (SOP) in Teams and Electron, according to a new blog post. For those unfamiliar, SOP is a browser security mechanism that helps prevent websites from attacking each other.

Highlights

  • DOS bugs are of particular concern. An attacker could crash the Teams app for Android by sending a user a message containing a preview link with an invalid preview link target. Unfortunately the app keeps crashing when I try to open a chat or channel with a malicious message. Microsoft responsibly disclosed its findings on March 10th through its bug bounty program. In the meantime, however, the software giant has only patched his IP address leak vulnerability in Teams for Android. Now that Positive Security has published its findings, Microsoft may need to patch his three remaining vulnerabilities, but they don’t pose an immediate threat to users, the researchers told researchers.

  • Microsoft Teams vulnerabilities. Of the four bugs Bräunlein discovered in Teams, two can be used on any device and allow server-side request forgery (SSRF) and spoofing, while the other two only affect Android phones. , can be exploited to leak IP addresses or achieve denial of service (DOS). By exploiting the SSRF vulnerability, the researcher was able to leak information from his Microsoft local network. Spoofing bugs, on the other hand, can be used to make phishing attacks more effective or hide malicious links.

Read More:

DeepMind Introduces SIMA: The Artificial Intelligence Agent that Mimics Human Thinking and Behavior

Google DeepMind introduces SIMA, an AI agent that can...

Partnership Between Mitsubishi Electric and Nozomi Networks Strengthens Operational Technology Security Business

Mitsubishi Electric and Nozomi Networks Partnership Mitsubishi Electric and Nozomi...

Solidion Technology Inc. Completes $3.85 Million Private Placement Transaction

**Summary:** 1. Solidion TechnologyInc. has announced a private placement deal...

Analyzing the Effects of the EU’s AI Act on Tech Companies in the UK

Breaking Down the Impact of the EU’s AI Act...

Tech in Agriculture: Roundtable Discusses Innovations on the Ranch

Summary of Tech on the Ranch Roundtable Discussion: ...

Are SMEs Prioritizing Tech Investments Over Security Measures?

SMEs Dive Into Tech Investments, But Are...

What’s on the Horizon for Rackspace Technology after Analysts Revise Forecasts Following Q4 Results?

Spotify Introduces Music Videos for Premium Members in Chosen Markets

3 Summaries of Spotify Unveils Music Videos for Premium...

Shearwater to Monitor Production at Equinor’s Two Oil Platforms

Shearwater GeoServices secures 4D monitoring projects from Equinor for...

Regaining Europe’s Competitive Edge in Innovation: Addressing the Innovation Lag

Europe’s Innovation Lag: How Can We Regain Our Competitive...
Load more

Related Posts

Government Warns of AI-Generated Content: Learn More about the Issue

Government issued an advisory on AI-generated content. All AI-generated content...

Africa Faces Internet Crisis: Extensive Outage Expected to Last for Months, Hardest-Hit Nations Identified

Africa’s Internet Crisis: Massive Outage Could Last Months, These...

FTC Investigates Reddit for AI Content Licensing Practices

FTC is investigating Reddit's plans...

Journalists Criticize AI Hype in Media

Summary Journalists are contributing to the hype and...

SpaceX Successfully Obtains Launch Approval for Starship’s Third Flight, Paving the Way for an Exciting Mission

- SpaceX secures launch license for Starship's third flight -...
Previous article
The new Chromecast HD from Google could have a significant storage advantage
Next article
The minimum phone specs for Android 13 have been lifted by Google

Categories:

Stay in touch

Company:

Follow on:

We participate in marketing programs, our content is not influenced by any commissions. To find out more, please visit our Term and Conditions page.