A vulnerability in Microsoft Teams could allow a malicious actor to steal sensitive data and access a victim’s communications, researchers have warned.
The bug, which has now been patched, allowed an attacker to steal a victim’s emails, Teams messages, and OneDrive files, as well as send emails and messages on their behalf.
It was discovered by Evan Grant, staff research engineer at Tenable, who detailed the security issue in a blog post released today (June 15).
Attack surface
The attack relies on a vulnerability in the Microsoft Power Apps tab. Microsoft Teams has a default feature that allows a user to launch small applications (or applets) as a tab in any team they are part of.
If that user is part of an Office 365/Teams organization with a Business Basic license or above, they also have access to a set of Teams tabs which consist of Microsoft Power Apps applications, the blog post explains.
In an unpatched version of Teams, an actor could set up a malicious tab which, when opened by the victim, would allow them access to their private documents and communications.
“Furthermore, the attacker could disguise themselves as the victim and send emails and messages on their behalf, potentially allowing them to conduct further social engineering attacks within the organization,” added Grant.
“Despite the simplicity of the bug, the attack itself is fairly complicated and requires a working knowledge of the Microsoft Power Apps and Power Automation features.”
Limitations
However, Grant pointed out, the malicious actor would have to be a member of the Microsoft Teams organization that they are attacking, meaning it would only work in the context of an insider threat attack.
More technical details about the bug and a proof of concept can be found in the blog post.
Microsoft Teams users are urged to update to the latest version of the software to protect against the vulnerability.
Source: https://portswigger.net/daily-swig/vulnerability-in-microsoft-teams-granted-attackers-access-to-emails-messages-and-personal-files