Application Security , Incident & Breach Response , Next-Generation Technologies & Secure Development
4 Bugs Found in Microsoft Teams' Link Preview Feature
3 of 4 Flaws Remain Unpatched - Check Any URL From a Teams LinkMicrosoft Teams' link preview feature contains four vulnerabilities that allow attackers to access internal Microsoft services, spoof the link preview and - for Android users - leak their IP address and use denial-of-service attacks against their Teams app/channels, Fabian Bräunlein, managing director and IT security consultant at Positive Security, tells Information Security Media Group.
See Also: Delivering Globally Consistent App Performance to the Hybrid Workforce
Of the four vulnerabilities discovered by Bräunlein, only one has been patched and the rest remain open. Bräunlein reported his findings to Microsoft on March 10 via the Microsoft Security Response Center program. "I assume Microsoft was either lacking the willingness or resources to patch the other three vulnerabilities," Bräunlein tells ISMG.
He says he's not aware of any current active exploitation of these vulnerabilities but adds, "If targeted exploitation happens, it would also be unlikely for us to get to know about it since we don't have access to all the messages being sent via Teams."
"Microsoft could do that," Bräunlein says, "but I doubt that if they found some [exploitation], they would tell us or directly go public with it. So, if the vulnerabilities are being exploited, it would likely happen in the dark until someone notices it, connects the dots and publishes about it."
The 4 Vulnerabilities
Bräunlein's discovery of the vulnerabilities was accidental, he says in a security blog published on Wednesday by Positive Security. He says he stumbled upon them while researching the Teams' URL preview feature for another, unrelated vulnerability.
Although Bräunlein reported all four flaws to the Microsoft Security Response Center on March 10, according to his blog, Microsoft closed all the tickets between March 25 and April 14, saying that the issues did not require immediate security service.
"We've investigated all four reports and have concluded that they do not pose immediate threats requiring a security fix," a Microsoft spokesperson tells ISMG. He adds: "We’ve received similar reports in the past and have made several recent improvements to the handling of data and security in general. These changes block the reproduction of several of these reports, including the reported IP address leak on Android issue."
Microsoft also has encouraged its customers to practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers. For more information on this, it has recommended users to visit its online safety resources.
Two of the vulnerabilities - server-side request forgery, aka SSRF, and spoofing vulnerabilities - affected Microsoft Teams on any device, while the other two - denial of service and IP address leak - only affect Android users.
Server-Side Request Forgery
Bräunlein says he tested Microsoft Teams URL preview feature for SSRF and was surprised to see that it was not protected against such an obvious attack vector. "The exact impact of the SSRF depends on the accessible services, which we did not investigate," Bräunlein tells ISMG. He confirms that this flaw allows scanning and accessing internal resources.
"As an example, an attacker could use the SSRF to scan for internal HTTP(s) services and send requests with the Log4Shell payload in the request URI to all of them to try to exploit vulnerable services that are not reachable from the internet," he says.
URL Spoofing
In his blog post, Bräunlein says that this vulnerability allows an attacker to set up the preview link target to any location independent of the main link, preview image and description, the displayed hostname, or hover text. "This could enable a malicious actor to direct the user to a fraudulent website under the guise of the URL displayed on the preview, opening the door to a host of activities," he says.
Denial of Service aka 'Message of Death'
This Android-related vulnerability is a denial-of-service attack flaw in Teams that can render the app and some of its channels unusable with a specifically crafted message. "When receiving a message that includes a link preview with an invalid preview link target (e.g., 'boom' instead of 'https://…'), the Android app crashes," according to the security blog.
IP Address Leak
This Android-related vulnerability is the only one that has been fixed by Microsoft so far.
"When creating a link preview, the back end fetches the referenced preview thumbnail and makes it available from a Microsoft domain. This ensures that the IP address and user agent data is not leaked when the receiving client loads the thumbnail," the blog post says.
But by intercepting sending of the message, Bräunlein says, it's possible to point the thumbnail URL to a non-Microsoft domain. According to him, the Android client does not check that the domain/does not have a CSP restricting the allowed domains and loads the thumbnail image from any domain, and the vulnerability allows leaking of a user's IP address and user agent data by sending a message with a specially crafted link preview.
Suggested Mitigations
Bräunlein says that he tested all the vulnerabilities on Dec. 15, to check whether any of those had been patched, and found that Microsoft had only fixed the IP address leak vulnerability. The rest remain open at the time of this writing.
Bräunlein recommends the following steps to mitigate the remaining three flaws:
- SSRF: This flaw does not directly affect users and can only be mitigated by Microsoft.
- URL Spoofing: After following a link, the user can check the URL again in the browser's address bar. This is always a good idea, but now it is especially important when the link is opened via Teams.
- Android DoS: Bräunlein says that he is not aware of any methods to protect against this flaw but says: "In case such a message renders a channel unusable, we suggest to log in via Teams' web/desktop application, delete the malicious message from there and potentially block the user that sent the message."
Richard Melick, director of product strategy for endpoint at Zimperium, says, "Mobile business collaboration tool sets such as Microsoft Teams are the proverbial keys to the kingdom for any attacker due to the amount of data, access and communication opportunities that exist. So, vendors and organizations alike need to shore up the security around these mobile tools with the same mindset they apply to traditional endpoints, keeping their data and employees safe."
In the meantime, Alan Calder, CEO of GRC International Group, advises users to be careful of any URLs they click on from a link in Teams. "Do a fact-check," he says, to determine that it is a legitimate link and not a spoofed one.