Microsoft Teams vulnerability could have resulted in account compromise
source link: https://siliconangle.com/2021/06/14/microsoft-teams-vulnerability-resulted-account-compromise/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Microsoft Corp. recently patched a severe vulnerability in Microsoft Teams that could have allowed an attacker to gain access to a user’s account.
Discovered and publicized today byz researcher Evan Grant at Tenable Inc., the vulnerability related to a feature in Microsoft Teams that allows users to launch applications as a tab within any team they belong to.
The Power Apps tabs were found to be governed by an improperly anchored regular expression, specifically insufficient input validation. When the tabs were opened, the validation mechanism didn’t properly confirm that the content in the tab came from a trusted source.
The issue was a surprising one given its relative simplicity. When a tab was opened, the validation mechanism would only confirm the beginning of the URL, for example make.powerapps.com. As a result, attackers exploiting the vulnerability could, in theory, then create a subdomain on a domain they controlled, for example make.powerapps.fakecorp.ca or similar, allowing them to load untrusted content into a Power Apps tab.
“Successful exploitation of this flaw allows attackers to take control of any users that access the malicious tab,” Grant explained. “This includes reading the victim users’ group messages within Teams, accessing the users’ email and OneDrive storage and more.”
With this unhindered access to an employee’s email and the ability for an attacker to pretend to be an authentic, trusted employee, the vulnerability delivered comprehensive data for a business email compromise attack.
In a typical BEC attack, victims receive emails they believe are from a company they usually conduct business with, but this email requests that funds be sent to a new account or otherwise alters the standard payment practices.
The U.S. Federal Bureau of Investigation has issued multiple warnings about the risk of BEC attacks, noting in April 2020 that COVID-19 topics were being used in the attacks. In December, the FBI warned that cybercriminals were exploiting email forwarding to undertake BEC attacks.
Because the vulnerability was a server-side issue, Microsoft could fix it without any user action required. It’s not believed that the vulnerability was ever exploited in the wild before being patched.
Image: Microsoft
A message from John Furrier, co-founder of SiliconANGLE:
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and soon to be Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.
Join Our Community
We are holding our second cloud startup showcase on June 16. Click here to join the free and open Startup Showcase event.
“TheCUBE is part of re:Invent, you know, you guys really are a part of the event and we really appreciate your coming here and I know people appreciate the content you create as well” – Andy Jassy
We really want to hear from you. Thanks for taking the time to read this post. Looking forward to seeing you at the event and in theCUBE Club.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK