A researcher at security firm, Tenable, found the vulnerability this week and revealed the find in a company blog. Evan Grant, who works in the firm’s Zero-Day team, found that the flaw could allow an attacker to gain access to a victim’s chat history, the ability to read and send emails on the victim’s behalf and access files in their OneDrive storage.
The rise of remote access and why flaws matter
The susceptibility, which has now been patched by Microsoft, would affect enterprise users of the company’s software. Use of Teams has for obvious reasons gained much traction over the last 18 months and has acquired millions of new users - in fact, the company has said it now has more than 100 million users, although that figure would also use regular consumers of its software.
Grant said he thought the particular vulnerability could be leveraged by threat actors in a variety of different scenarios. This includes the reading of team chats, sending emails and messages as if from another trusted user and even accessing, downloading or tampering with files. He stressed that such vulnerabilities reveal the potential threat posed by platforms like Teams, especially those most trusted.
Server security and validation
This one in particular came through the PowerApps service Microsoft offers businesses, enabling them to create business-specific use cases on its products, like Teams, Excel and others. What could be exploited is the lack of URL verification in PowerApps to attack a company’s users. The vulnerability was serious because it is amplified by the permissions granted to Microsoft Power Apps within Teams, which enables hackers to take control of any users accessing the malicious tab.
This flaw was what is known as a ‘server-side vulnerability’ in cyber security-speak. They exist on the servers which power Microsoft’s apps, software and services and can be fixed by organisations without user action, but system administrators may still need to recheck their systems possible exploitations.
The problem arose because Microsoft teams has a default feature allowing users to launch applications as a tab within any team they belong to. Organisations using Office 365 or Teams with a Business Basic licence or higher can als launch Microsoft Power Apps within the tab. Tenable discovered that content loaded into the Power Apps was governed by ‘an improperly anchored regular expression,’ meaning the validation mechanism doesn’t properly confirm the content comes from a trusted source, which then opens the gateway to attackers.