Hacking

Expert discloses zero-click, wormable flaw in Microsoft Teams

Security expert disclosed technical details about a wormable, cross-platform flaw in Microsoft Teams that could allow stealth attacks.

Security researcher Oskars Vegeris from Evolution Gaming has published technical details on a wormable, cross-platform vulnerability in the business communication platform Microsoft Teams.

The flaw is a cross-site scripting (XSS) issue that impacts the ‘teams.microsoft.com’ domain, it could be exploited by an attacker to achieve remote code execution in the MS Teams desktop application.

An attacker could exploit the flaw by sending a specially crafted message to any Microsoft Teams user or channel.

“A Remote Code Execution vulnerability has been identified in MS Teams desktop which can be triggered by a novel XSS (Cross-Site Scripting) injection in teams.microsoft.com. A specifically crafted chat message can be sent to any Microsoft Teams member or channel which will execute arbitrary code on victim PC’s with NO USER INTERACTION.” reads the advisory published by Vegeris.

“Remote Code Execution has been achieved in desktop applications across all supported platforms (Windows, macOS, Linux). Code execution gives attackers full access to victim devices and company internal networks via those devices,”

Even without gaining arbitrary code execution, the attacker could exploit the XSS flaw to obtain SSO authorization tokens for MS Teams or other services of the IT giant (e.g. Skype, Outlook, Office365). The issue could also allow attackers to access confidential conversations and files from the communications service. 

The expert pointed out that the attack is stealth, it doesn’t require any user interaction and there are no indicators of compromise for this attack.

The flaw is also ‘wormable,’ this means that it is possible to automatically repost the exploit payload to other companies, channels, users without interaction

Successful exploitation could cause complete loss of confidentiality and integrity for end-users, attackers could access sensitive info into private chats, files, internal network, along with private keys and personal data outside MS Teams

The flaw could also open to phishing attacks by redirecting the victims to attackers’ site or requesting SSO credential input.

Affected products include:

  • MS Teams (teams.microsoft.com) – Cross-Site Scripting
  • MS Teams macOS v 1.3.00.23764 (latest as of 2020-08-31)
  • MS Teams Windows v 1.3.00.21759 (latest as of 2020-08-31)
  • MS Teams Linux v 1.3.00.16851 (latest as of 2020-08-31)

Vegeris also published a demo on how to exploit the vulnerability, he is disappointed by the Microsoft’choice to rate the issues “Important, Spoofing,” which is one of the lowest in-scope ratings possible.

Microsoft Teams hack

He added that the IT giant wouldn’t issue a CVE number for the vulnerability, because issues in Microsoft Teams are fixed via automatic updates.

Microsoft has addressed the flaw with an update released in October.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Teams)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Japan passed a law allowing preemptive offensive cyber actions<gwmw style="display:none;"></gwmw>

Japan passed a law allowing preemptive offensive cyber actions, shifting from its pacifist stance to…

2 hours ago

Pwn2Own Berlin 2025: total prize money reached $1,078,750

Pwn2Own Berlin 2025 wrapped up with $383,750 awarded on the final day, pushing the total…

8 hours ago

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 45

Security Affairs Malware newsletter includes a collection of the best articles and research on malware…

1 day ago

Security Affairs newsletter Round 524 by Pierluigi Paganini – INTERNATIONAL EDITION

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles…

1 day ago

Experts found rogue devices, including hidden cellular radios, in Chinese-made power inverters used worldwide

Chinese "kill switches" found in Chinese-made power inverters in US solar farm equipment that could…

1 day ago