Security News > 2021 > December > Four Bugs in Microsoft Teams Left Platform Vulnerable Since March
Four vulnerabilities in Microsoft Teams, unpatched since March, allowed link spoofing of URLs and opened the door to DoS attacks against Android users, researchers said.
Researchers from Positive Security discovered four bugs in the feature earlier this year and told Microsoft about the issues on March 10.
Microsoft Teams is a collaboration tool that helps people working in different geographic locations work together online.
Two of the four bugs discovered affected Microsoft Teams being used on any device and allow for server-side request forgery and spoofing, researchers said.
Finally, attackers can use IP address leak bug-the only one Microsoft appears to have remedied-to intercept messages that include a link preview to point the thumbnail URL to a non-Microsoft domain.
Microsoft first responded to Positive Security on March 12, two days after its disclosure, and the two parties went "Back-and-forth" for a couple of weeks on details of the spoofing issue.
News URL
https://threatpost.com/microsoft-teams-bugs-vulnerable-march/177225/
Related news
- Week in review: Microsoft fixes two exploited zero-days, SOC teams are losing trust in security tools (source)
- Black Basta poses as IT support on Microsoft Teams to breach networks (source)
- Black Basta ransomware poses as IT support on Microsoft Teams to breach networks (source)
- Black Basta operators phish employees via Microsoft Teams (source)
- Week in review: Windows Themes spoofing bug “returns”, employees phished via Microsoft Teams (source)
- Microsoft Ignite 2024 Unveils Groundbreaking AI, Security, and Teams Innovations (source)