Expert discloses zero-click, wormable flaw in Microsoft Teams

Security expert disclosed technical details about a wormable, cross-platform flaw in Microsoft Teams that could allow stealth attacks.

Security researcher Oskars Vegeris from Evolution Gaming has published technical details on a wormable, cross-platform vulnerability in the business communication platform Microsoft Teams.

The flaw is a cross-site scripting (XSS) issue that impacts the ‘teams.microsoft.com’ domain, it could be exploited by an attacker to achieve remote code execution in the MS Teams desktop application.

An attacker could exploit the flaw by sending a specially crafted message to any Microsoft Teams user or channel.

“A Remote Code Execution vulnerability has been identified in MS Teams desktop which can be triggered by a novel XSS (Cross-Site Scripting) injection in teams.microsoft.com. A specifically crafted chat message can be sent to any Microsoft Teams member or channel which will execute arbitrary code on victim PC’s with NO USER INTERACTION.” reads the advisory published by Vegeris.

“Remote Code Execution has been achieved in desktop applications across all supported platforms (Windows, macOS, Linux). Code execution gives attackers full access to victim devices and company internal networks via those devices,”

Even without gaining arbitrary code execution, the attacker could exploit the XSS flaw to obtain SSO authorization tokens for MS Teams or other services of the IT giant (e.g. Skype, Outlook, Office365). The issue could also allow attackers to access confidential conversations and files from the communications service. 

The expert pointed out that the attack is stealth, it doesn’t require any user interaction and there are no indicators of compromise for this attack.

The flaw is also ‘wormable,’ this means that it is possible to automatically repost the exploit payload to other companies, channels, users without interaction

Successful exploitation could cause complete loss of confidentiality and integrity for end-users, attackers could access sensitive info into private chats, files, internal network, along with private keys and personal data outside MS Teams

The flaw could also open to phishing attacks by redirecting the victims to attackers’ site or requesting SSO credential input.

Affected products include:

  • MS Teams (teams.microsoft.com) – Cross-Site Scripting
  • MS Teams macOS v (latest as of 2020-08-31)
  • MS Teams Windows v (latest as of 2020-08-31)
  • MS Teams Linux v (latest as of 2020-08-31)

Vegeris also published a demo on how to exploit the vulnerability, he is disappointed by the Microsoft’choice to rate the issues “Important, Spoofing,” which is one of the lowest in-scope ratings possible.

He added that the IT giant wouldn’t issue a CVE number for the vulnerability, because issues in Microsoft Teams are fixed via automatic updates.

Microsoft has addressed the flaw with an update released in October.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Teams)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Wikileaks founder Julian Assange is free

WikiLeaks founder Julian Assange has been released in the U.K. and has left the country…

3 hours ago

CISA confirmed that its CSAT environment was breached in January.

CISA warned chemical facilities that its Chemical Security Assessment Tool (CSAT) environment was compromised in…

8 hours ago

Threat actors compromised 1,590 CoinStats crypto wallets

Threat actors breached 1,590 cryptocurrency wallets of the cryptocurrency portfolio management and tracking platform CoinStats.…

20 hours ago

Experts observed approximately 120 malicious campaigns using the Rafel RAT

Multiple threat actors are using an open-source Android remote administration tool called Rafel RAT to target Android…

1 day ago

LockBit claims the hack of the US Federal Reserve

The Lockbit ransomware group announced that it had breached the US Federal Reserve and exfiltrated…

1 day ago

Ransomware threat landscape Jan-Apr 2024: insights and challenges

Between Jan and Apr 2024, the global ransomware landscape witnessed significant activity, with 1420 ransomware…

1 day ago

This website uses cookies.