Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Microsoft Teams security vulnerability left users open to XSS via flawed stickers feature

A security researcher has found that attackers could abuse the popular sticker feature in Microsoft Teams to conduct cross-site scripting (XSS) attacks.

Microsoft Teams, alongside comparable teleconferencing services including Zoom, have experienced a surge in popularity over the past few years.

The Covid-19 pandemic forced organizations to adopt work-from-home models whenever possible. In the aftermath, employees have often been given the option of either staying remote or going hybrid.

With so many users, any vulnerability in Microsoft Teams could have widespread impact. As such, cybersecurity researchers, including Gais Cyber Security’s senior cybersecurity specialist Numan Turle, have examined the software for potential flaws.

Sticky subject

In 2021, Turle uncovered CVE-2021-24114. Issued a CVSS score of 5.7, the bug was discovered in the preview process of images sent via Teams to leak Skype tokens (PDF) and trigger an account takeover vulnerability in Teams iOS.

A year on, the researcher decided to examine Microsoft Teams’ sticker function for new security issues.

When a sticker is sent via Teams, the platform converts it into an image and uploads the content as ‘RichText/HTML’ in the subsequent message.

Turle inspected the HTML request using Burp Suite and tried out typical attributes – to no avail, due to the protections offered by Microsoft’s Content Security Policy (CSP).

CSP is designed to mitigate a range of common web attacks, including XSS.

However, after plugging the CSP into Google’s CSP Evaluator tool, the researcher found a CSP defect – the script-src field was flagged as unsafe, which paved the way for potential HTML injection attacks against multiple domains.

Trying a different angle

Microsoft had plugged these security holes via Azure domain changes. So, after digging deeper and inspecting Teams in-browser, Turle uncovered a JavaScript element, angular-jquery, that could be used as an alternative.

jQuery with Angular is a JavaScript framework for managing HTML and CSS interactions. However, this version was out of date and vulnerabilities in the outdated version (1.5.14) – could be utilized to bypass the CSP.

After crafting a malicious iframe with help from HTML encoding, the researcher was able to create a malicious payload, sent via the stickers function in Teams, to trigger XSS, obtained through user interaction.

Turle disclosed the XSS issue to Microsoft on January 6. The vulnerability was patched in March and the researcher was awarded a $6,000 bug bounty.

The Daily Swig has reached out to Gais Cyber Security and Microsoft and we will update when we hear back.

Advertisement. Scroll to continue reading.

Full details can be found in a technical blog post from Turle.

Source: https://portswigger.net/daily-swig/microsoft-teams-security-vulnerability-left-users-open-to-xss-via-flawed-stickers-feature

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO