A potential security flaw has been discovered in the Microsoft ecosystem which may distress Microsoft Teams users. Recently, the Microsoft team patched a vulnerability in the Microsoft Teams environment – a collaboration space used by over 145 million daily users today. The vulnerability found by Tenable researcher Evan Grant would allow attackers to take control of the end user’s account and gain access to various sources of data, including chat history, OneDrive files, and emails.
According to Tenable, the Microsoft Teams environment features a default setting that allows users to launch applications as tabs within the teams they use. Companies using Office 365 or Teams on their own with a Basic Business license or higher will also be able to launch “Power Apps” in the same way. However, content loaded onto these Power Apps was apparently governed with a poorly anchored regular expression.
Understanding the Issue
Essentially, the security issue means that the validation mechanism which confirms the content in a tab is coming from a trusted source only verifies one thing. This mechanism just looks to see that the URL given begins with the right structure, including the https//make.powerapps.com introduction.
Unfortunately, the mechanism does not check the validity of the URL any further, which means that attackers can create subdomains using the initial part of the link, such as https://make.powerapps.com.fakebusiness.com which would allow them to load dangerous content into the tab. This vulnerability is made worse by the permissions that are granted to Power Apps in Teams. Successful use of the flaw would allow malicious attackers to gain control of users.
People who clicked on the fake tab would be able to read victim messages, access the victim’s email address, and their OneDrive storage too. Fortunately, Microsoft has immediately implemented a solution to fix this problem, before any damage could be done.
Microsoft Has Fixed the Issue
As a server-side flaw, Microsoft was able to jump in and fix the problem without any need for actions from users in Microsoft Teams. The issue has now been fully patched, which means there’s no need fore further investigations and proof of concept from the Tenable team. However, the group has offered a full analysis of the issue on the Techblog.
