Users should be wary of this Microsoft Teams security flaw
Researchers have found a simple but devastating vulnerability in Microsoft Teams that could have provided attackers with the key to access the platform.
According to security firm Tenable, although Microsoft has now fixed the situation, the vulnerability exposed all sorts of sensitive information, from chat and email logs to files shared via OneDrive or email. SharePoint.
In addition to exposing data, this bug can also be used to take control of a user's Microsoft 365 account. With this level of access, attackers could have sent emails from victims' accounts, for example, generating funds for phishing attacks and other secondary attacks.
Exploiting Microsoft Teams uses a separate Microsoft product - Power Apps - designed to aid application development. This service can be launched as a tab in Microsoft Teams.
Tenable researchers have found that the mechanism for verifying content loaded into Power Apps is easy to manipulate. By spoofing a trusted domain (https://make.powerapps.com), an attacker could have created a malicious Power Apps tab, potentially affecting any Teams user who clicked on it.
'Despite its simplicity, this vulnerability poses a significant risk as it can be exploited to 'initiate' a number of different attacks across multiple services, potentially exposing sensitive files and conversations. sensing or allowing an attacker to impersonate another user and take action. Given the number of access tokens this vulnerability exposes, there are potentially other serious and creative potential attacks that haven't been discovered in our feasibility testing' - Evan Grant, Tenable's Research Engineer.
The bottom line is that the vulnerability can only be exploited by someone authorized to create Power Apps tabs. While insider attacks are common, this means that it is impossible for a third party to exploit the vulnerability.
As soon as the issue was revealed, Microsoft rolled out the fix to all customers without any action by the end user or administrator. There is no evidence that the vulnerability has been abused in practice.
You should read it
- Link download Microsoft Teams 1.3.00.3564
- Viewing GIFs can also be hacked for Microsoft Teams account
- How to use Microsoft Teams online
- Microsoft integrates Teams utilities into Office.com website and Office Windows apps
- Summary of shortcuts for Microsoft Teams to learn online
- How to turn off mic in Microsoft Teams
- How to install Vietnamese on Microsoft Teams
- How to reopen previously visited locations in Microsoft Teams
- Instructions for using Microsoft Teams on your phone
- Slack has 350,000 new users from IBM, the competition with Microsoft Teams is hotter than ever
- How to create and join meetings on Microsoft Teams
- How to completely uninstall Microsoft Teams on Windows 10