Attackers exploiting bugs in the “link preview” feature in Microsoft Teams could abuse the flaws to spoof links, leak an Android user’s IP address & launch a DoS attack.
4 vulnerabilities in Microsoft Teams, unpatched since March, allowed link spoofing of URLs & opened the door to DoS attacks against Android users, researchers observed.
Researchers from Positive Security discovered 4 bugs in the feature earlier this year & told Microsoft about the issues on March 10.
As yet, only 1 of the bugs—a bug allowing attackers to leak Android IP addresses—appears to have been patched by the company, researcher Fabian Bräunlein explained in a blog post published Wed.
Microsoft Teams is a ‘collaboration tool’ that helps people working in different geographic locations work together online. Because of this, Teams use of the platform has dramatically upped during the pandemic, making it an increasingly attractive target for threat players.
Positive Security researchers “stumbled upon” the vulnerabilities when they were looking for a way to bypass Teams’ Electron’s Same-Origin Policy (SOP), he wrote in the report. SOP is security mechanism of browsers that aims to stop websites from attacking each other.
Bypass the SOP
Researchers found that 1 possible means to bypass the SOP in Teams is to ‘abuse’ the link preview feature by allowing the client to generate a link preview for the target page, & then using the summary text or performing optical character recognition (OCR) on the preview image to steal information.
“In Teams, this preview is actually generated server-side by Microsoft,” something that is possible because there is no end-to-end encryption present, Bräunlein explained.
This means that the feature cannot be abused to leak information from the user’s local network – e.g., the Node.js debug server, he outlined.
“However, while investigating this feature, I stumbled upon a few unrelated vulnerabilities in its implementation,” Bräunlein stated.
2 of the 4 bugs discovered affected Microsoft Teams being used on any device & allow for server-side request forgery (SSRF) & spoofing, researchers observed. The other 2, dubbed “IP Address Leak” & “Denial of Service aka Message of Death” by researchers—affect only Android users.
The SSRF vulnerability allowed researchers to leak information from Microsoft’s local network & was discovered when Bräunlein evaluated the /urlp/v1/url/info endpoint for SSRF, he revealed
“The URL is not filtered, leading to a limited SSRF (response time, code, size & open graph data leaked), which can be used for internal port-scanning & sending HTTP-based exploits to the discovered web services,” Bräunlein explained.
Attackers can use the spoofing bug to strengthen phishing attacks or hide malicious links in content sent to users, he suggested.
This can be done by setting the preview link target “to any location independent of the main link, preview image & description, the displayed hostname or onhover text,” according to the post.
To abuse the Android DoS bug, a threat player can send a message to someone using Teams via its Android app that includes a link preview with an invalid preview link target.
This will crash the app continuously when the user tries to open the chat/channel with the malicious message, basically blocking users out of the chat or channel, Bräunlein outlined.
IP Address Leak Bug
Finally, attackers can use IP address leak bug—the only 1 Microsoft appears to have remedied—to intercept messages that include a link preview to point the thumbnail URL to a non-Microsoft domain.
This is possible in link previews in which the backend fetches the referenced preview thumbnail & makes it available from a Microsoft domain, Bräunlein observed.
“The Android client does not check the domain/does not have a CSP restricting the allowed domains and loads the thumbnail image from any domain,” he explained.
Microsoft 1st responded to Positive Security on March 12, 2 days after its disclosure, & the 2 parties went “back-&-forth” for a couple of weeks on details of the spoofing issue.
Between March 25 & April 14, the company responded conclusively to each of the individual issues raised & eventually gave researchers permission to reveal its findings publicly, according to the post.
Microsoft on Wed. did not immediately return request for comment on Positive Security’s report.
Not to Patch
On Mar. 25, the company decided not to patch the DoS & SSRF bugs, according to Bräunlein.
Microsoft stated that it determined that the DoS bug “does not require immediate security service” because it is of “low severity for temporary DoS that requires restart of application,” according to the post.
Fixing the Issue
Microsoft added that it would consider fixing the issue in a later version of the product.
In terms of the SSRF bug, Microsoft gave no reason for closing the case without a patch, saying only that the company “will not be fixing this vulnerability in the current version,” according to Positive Security.
Microsoft also declined to patch the Android IP address leak on April 4, concluding that the issue “does not pose an immediate threat that requires urgent attention due to the general data sensitivity of the IP address data.”
Share the Report
The company did, however, share the report with the team responsible for the product, & a re-test of all the bugs that Positive Security conducted on Dec. 15 showed that the issue seems to have been patched, Bräunlein wrote.
On April 14, Microsoft also declined to address the URL spoofing issue, concluding that it also does not pose an immediate threat “because once the user clicks on the URL, they would have to go to that malicious URL which would be a giveaway that it’s not the 1 the user was expecting,” concluded Positive Security.