A team of researchers from Positive Security found four vulnerabilities in Microsoft Teams, they announced in a blog post. A total of four vulnerabilities were found, which could allow an attacker to spoof link previews, access internal Microsoft services, leak IP addresses, and DDoS the teams App on Android.
The team reportedly found the issues while researching the URL preview feature in Teams, Positive Security co-founder Fabian Bräunlein said.
One of the vulnerabilities is a Server-Side Request Forgery issue, which could leak information such as the response time, code, size, and open graph data. Another is a spoofing attack, which could open a different link than what was expected by the user when clicking a preview link, leading to a possible phishing attack.
A third vulnerability could allow leaking a user's IP address and user agent data by sending a message with a specially crafted link preview on Android.
The fourth, and potentially most serious vulnerability, allows a malicious attacker to crash the Teams app on Android completely, by sending a message with an invalid preview link. Opening the chat or conversation with the bad link will then repeatedly crash the Teams app.
Also Read: Apple iPhone 13 to be made in India: all you need to know
Positive Security say that they disclosed these vulnerabilities to Microsoft on March 10, 2021. However, they claim that Microsoft has only patched one of the four mentioned issues, concerning the IP leak on Android.
Bräunlein said that the DDoS issue could ‘become annoying’ for some users, but only the link spoofing vulnerability is likely to be used in serious attacks.