A simple vulnerability in collaboration platform (opens in new tab) Microsoft Teams could have given attackers the keys to the kingdom, researchers have found.
According to security company Tenable, although Microsoft has now remedied the situation, the vulnerability exposed all manner of sensitive information, from chat logs and email (opens in new tab) to files shared via OneDrive (opens in new tab) or SharePoint.
Beyond data exposure, the bug could also have been used to seize control of users’ Microsoft 365 (opens in new tab) accounts. With this level of access, attackers could have sent emails from victims’ accounts, for example, setting the stage for spear-phishing and other secondary attacks.
- We've built a list of the best antivirus (opens in new tab) services right now
- Check out our list of the best ransomware protection (opens in new tab) services out there
- Here's our list of the best password managers (opens in new tab) around
Microsoft Teams exploit
The Teams (opens in new tab) exploit makes use of a separate Microsoft product called Power Apps, which is designed to assist with application development. This service can be launched as a tab within Microsoft Teams.
Tenable researchers discovered that the mechanism for verifying content loaded into Power Apps was easy to manipulate. By spoofing the trusted domain (https://make.powerapps.com), an attacker could have created a malicious Power Apps tab capable of compromising any Teams user that clicked through.
“Despite its simplicity, this vulnerability poses a significant risk as it could be leveraged to launch a number of different attacks across a variety of services, potentially exposing sensitive files and conversations, or to allow an attacker to masquerade as other users and perform actions on their behalf,” said Evan Grant, Staff Research Engineer at Tenable.
“Given the number of access tokens this vulnerability exposes, there are likely to be other creative and serious potential attacks not explored in our proofs-of-concept.”
The silving lining is that the vulnerability could only have been exploited by someone with authority to create Power Apps tabs. Although insider attacks are commonplace, this at least means the exploit could not have been abused by an unauthenticated third-party.
Soon after the issue was disclosed, Microsoft rolled out a fix to all customers, with no action required from end-users or administrators. There is no evidence to suggest the vulnerability was abused in the wild.
TechRadar Pro asked Microsoft whether it would like to provide any additional color or advice, but the company declined to comment.
- Here's our list of the best patch management (opens in new tab) services around