Security News > 2021 > December > Four Bugs in Microsoft Teams Left Platform Vulnerable Since March
Four vulnerabilities in Microsoft Teams, unpatched since March, allowed link spoofing of URLs and opened the door to DoS attacks against Android users, researchers said.
Researchers from Positive Security discovered four bugs in the feature earlier this year and told Microsoft about the issues on March 10.
Microsoft Teams is a collaboration tool that helps people working in different geographic locations work together online.
Two of the four bugs discovered affected Microsoft Teams being used on any device and allow for server-side request forgery and spoofing, researchers said.
Finally, attackers can use IP address leak bug-the only one Microsoft appears to have remedied-to intercept messages that include a link preview to point the thumbnail URL to a non-Microsoft domain.
Microsoft first responded to Positive Security on March 12, two days after its disclosure, and the two parties went "Back-and-forth" for a couple of weeks on details of the spoofing issue.
News URL
https://threatpost.com/microsoft-teams-bugs-vulnerable-march/177225/
Related news
- Attackers Exploit Microsoft Teams and AnyDesk to Deploy DarkGate Malware (source)
- Ransomware attackers are “vishing” organizations via Microsoft Teams (source)
- Ransomware gangs pose as IT support in Microsoft Teams phishing attacks (source)
- Week in review: 48k Fortinet firewalls open to attack, attackers “vishing” orgs via Microsoft Teams (source)
- Microsoft Teams phishing attack alerts coming to everyone next month (source)