Microsoft Teams’ zero-day vulnerability that could allow an attacker to take control of your account has been patched. Teams, Microsoft’s business communication service, has surged in popularity amid the ongoing pandemic. The increase in usage of Microsoft Teams is driven by the shift to the remote workforce in the past several months.
According to a security researcher at Tenable, who discovered this security flaw, the vulnerability could allow an attacker to access your chat history on Microsoft Teams. What’s more, it could also provide an attacker with the ability to read emails on your behalf, further compromising important files and documents OneDrive storage.
Microsoft Teams zero-day vulnerability
A default feature on Microsoft Teams allows users to launch Microsoft Teams apps as a tab within teams they belong to. A similar feature allows enterprise customers with Office 365 or Microsoft Teams with a Business Basic license to launch Microsoft Power Apps within these tabs.
According to the researcher, an improperly anchored regular expression governing content loaded into Microsoft Power Apps tabs essentially left room for a security vulnerability to be exploited by an attacker.
Whether the tab content comes from a trusted source was verified by inspecting if a given URL begins with “https://make.powerapps.com” or not, and no other validation mechanism was being carried out.
“The severity of this vulnerability is amplified by the permissions granted to Microsoft Power Apps within Microsoft Teams. Successful exploitation of this flaw allows attackers to take control of any users that access the malicious tab. This includes reading the victim users’ group messages within Teams, accessing the users’ email and OneDrive storage, and more,” Tenable said.
This flaw made things easier for an attacker to create a subdomain of “make.powerapps.com” for any domain they control.
For example, https://make.powerapps.com.fakecorp.ca.
It could allow an attacker to infiltrate into a Power Apps tab using untrustworthy content.
Since this was a server-side vulnerability, Microsoft did not require users to take any manual actions to fix it.
As of April 2021, Microsoft Teams recorded 145 million daily active users on its platform.