Microsoft Teams security flaw left users defenseless against serious cyberattacks
Microsoft Teams exploit exposed sensitive files, emails and chat logs
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
A simple vulnerability incollaboration platformMicrosoftTeams could have given attackers the keys to the kingdom, researchers have found.
According to security company Tenable, although Microsoft has now remedied the situation, the vulnerability exposed all manner of sensitive information, from chat logs andemailto files shared viaOneDriveor SharePoint.
Beyond data exposure, the bug could also have been used to seize control of users’Microsoft 365accounts. With this level of access, attackers could have sent emails from victims’ accounts, for example, setting the stage for spear-phishing and other secondary attacks.
Microsoft Teams exploit
TheTeamsexploit makes use of a separate Microsoft product called Power Apps, which is designed to assist with application development. This service can be launched as a tab within Microsoft Teams.
Tenable researchers discovered that the mechanism for verifying content loaded into Power Apps was easy to manipulate. By spoofing the trusted domain (https://make.powerapps.com), an attacker could have created a malicious Power Apps tab capable of compromising any Teams user that clicked through.
“Despite its simplicity, this vulnerability poses a significant risk as it could be leveraged to launch a number of different attacks across a variety of services, potentially exposing sensitive files and conversations, or to allow an attacker to masquerade as other users and perform actions on their behalf,” said Evan Grant, Staff Research Engineer at Tenable.
“Given the number of access tokens this vulnerability exposes, there are likely to be other creative and serious potential attacks not explored in our proofs-of-concept.”
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
The silving lining is that the vulnerability could only have been exploited by someone with authority to create Power Apps tabs. Although insider attacks are commonplace, this at least means the exploit could not have been abused by an unauthenticated third-party.
Soon after the issue was disclosed, Microsoft rolled out a fix to all customers, with no action required from end-users or administrators. There is no evidence to suggest the vulnerability was abused in the wild.
TechRadar Proasked Microsoft whether it would like to provide any additional color or advice, but the company declined to comment.
Joel Khalili is the News and Features Editor at TechRadar Pro, covering cybersecurity, data privacy, cloud, AI, blockchain, internet infrastructure, 5G, data storage and computing. He’s responsible for curating our news content, as well as commissioning and producing features on the technologies that are transforming the way the world does business.
Should your VPN always be on?
3 reasons why PIA fell in our best VPN rankings
I’m a die-hard Apple fan, but even I’ll admit that the Google Pixel 9 Pro is the best-looking phone of the year
