A simple vulnerability in collaboration platform Microsoft Teams could have given attackers the keys to the kingdom, researchers have found.
According to security company Tenable, although Microsoft has now remedied the situation, the vulnerability exposed all manner of sensitive information, from chat logs and email to files shared via OneDrive or SharePoint.
Beyond data exposure, the bug could also have been used to seize control of users’ Microsoft 365 accounts. With this level of access, attackers could have sent emails from victims’ accounts, for example, setting the stage for spear-phishing and other secondary attacks.
- We've built a list of the best antivirus services right now
- Check out our list of the best ransomware protection services out there
- Here's our list of the best password managers around
Microsoft Teams exploit
The Teams exploit makes use of a separate Microsoft product called Power Apps, which is designed to assist with application development. This service can be launched as a tab within Microsoft Teams.
Tenable researchers discovered that the mechanism for verifying content loaded into Power Apps was easy to manipulate. By spoofing the trusted domain (https://make.powerapps.com), an attacker could have created a malicious Power Apps tab capable of compromising any Teams user that clicked through.
“Despite its simplicity, this vulnerability poses a significant risk as it could be leveraged to launch a number of different attacks across a variety of services, potentially exposing sensitive files and conversations, or to allow an attacker to masquerade as other users and perform actions on their behalf,” said Evan Grant, Staff Research Engineer at Tenable.
“Given the number of access tokens this vulnerability exposes, there are likely to be other creative and serious potential attacks not explored in our proofs-of-concept.”
The silving lining is that the vulnerability could only have been exploited by someone with authority to create Power Apps tabs. Although insider attacks are commonplace, this at least means the exploit could not have been abused by an unauthenticated third-party.
Soon after the issue was disclosed, Microsoft rolled out a fix to all customers, with no action required from end-users or administrators. There is no evidence to suggest the vulnerability was abused in the wild.
TechRadar Pro asked Microsoft whether it would like to provide any additional color or advice, but the company declined to comment.
- Here's our list of the best patch management services around