Remember the Microsoft Teams flaw from a couple of weeks ago that didn't let Google Pixel users call 911? It turns out there are at least four security flaws in Microsoft's business-collaboration service, including one that could send you to malware or phishing websites, and Microsoft has fixed only one of them.
Russian information-security firm Positive Technologies (opens in new tab) chronicled this saga in a blog post Tuesday (Dec. 22), explaining that two of the new vulnerabilities are specific to Android while the two others apply to all operating systems.
Poisoned image previews
The worst vulnerability lets an attacker swap in a malicious URL, or web link, for the legitimate one when Teams displays a thumbnail preview image. This works in Windows, Mac, iOS and Linux as well as Android.
Using a common network-traffic-intercept tool, Positive Technologies' Fabian Bräunlein made a video clip demonstrating how he substituted a Google link into what appeared to be a Bing link (opens in new tab) — two domains that would not normally have anything to do with each other.
"When clicking the preview, a different link is opened than what was expected by the user," Bräunlein wrote in the blog post. "This can be used either for improved phishing attacks, or to hide malicious links."
Microsoft was told of all these flaws by Positive Technologies in March of 2021, but the operating-system maker responded that this particular vulnerability "does not pose an immediate threat that requires urgent attention because once the user clicks on the URL, they would have to go to that malicious URL which would be a giveaway that it's not the one the user was expecting."
Apparently Microsoft's Teams team has never seen a really convincing phishing website.
Spilling the beans
Two of the other flaws reveal information about the other parties on a Team call that should be kept private.
The first, which Positive Technologies says Microsoft has now patched, lets an attacker send a "specially crafted link preview" to get another person's Internet Protocol (IP) address if the other person views a Teams chat from an Android device.
That information by itself is not terribly malicious, but having the other party's IP address could let the attacker mount attacks on that user by other means. This flaw was quietly patched even after Microsoft dismissed it as another issue that "does not pose an immediate threat."
The second is more of a problem for Microsoft itself. Bräunlein found that with some clever coding, which he's not revealing, he could get sensitive information about the Microsoft server hosting a Teams chat.
According to Bräunlein, this "can be used for internal port scanning and sending HTTP-based exploits to the discovered web services," but Microsoft declined to fix it and gave Positive Technologies permission to discuss it publicly.
Start, crash, repeat
The last flaw is just annoying. It lets an attacker (or maybe just a prankster) crash the Teams Android app by sending an invalid image-preview link, or what Bräunlein entertainingly calls the "Message of Death." All you need to do is put something that's not a legitimate weblink in the space where one should be.
"The app keeps crashing when trying to open the chat/channel with the malicious message, which makes the chat/channel unusable for Android users," Bräunlein wrote.
Microsoft told Positive Technologies "that this issue does not require immediate security service" and that a fix "will be considered in a future version" of Teams.
Asked about the Positive Technologies report by Threatpost (opens in new tab), Microsoft said that "we've investigated all four reports and have concluded that they do not pose immediate threats requiring a security fix."
"We've received similar reports in the past and have made several recent improvements to the handling of data and security in general," Microsoft added.
The moral of this story is: Maybe don't run Teams on Android, and be very careful about which image links you click in Teams on all platforms.