Technology
Microsoft Teams security vulnerability left users open to XSS via flawed stickers feature
The friendly image sent by your colleague on a teleconference may be hiding a malicious secret.
A security researcher has found that attackers could abuse the popular sticker feature in Microsoft Teams to conduct cross-site scripting (XSS) attacks.
Microsoft Teams, alongside comparable teleconferencing services including Zoom, have experienced a surge in popularity over the past few years.
The Covid-19 pandemic forced organizations to adopt work-from-home models whenever possible. In the aftermath, employees have often been given the option of either staying remote or going hybrid.
With so many users, any vulnerability in Microsoft Teams could have widespread impact. As such, cybersecurity researchers, including Gais Cyber Security’s senior cybersecurity specialist Numan Turle, have examined the software for potential flaws.
Sticky subject
In 2021, Turle uncovered CVE-2021-24114. Issued a CVSS score of 5.7, the bug was discovered in the preview process of images sent via Teams to leak Skype tokens (PDF) and trigger an account takeover vulnerability in Teams iOS.
A year on, the researcher decided to examine Microsoft Teams’ sticker function for new security issues.
When a sticker is sent via Teams, the platform converts it into an image and uploads the content as ‘RichText/HTML’ in the subsequent message.
Turle inspected the HTML request using Burp Suite and tried out typical attributes – to no avail, due to the protections offered by Microsoft’s Content Security Policy (CSP).
CSP is designed to mitigate a range of common web attacks, including XSS.
However, after plugging the CSP into Google’s CSP Evaluator tool, the researcher found a CSP defect – the script-src field was flagged as unsafe, which paved the way for potential HTML injection attacks against multiple domains.
Trying a different angle
Microsoft had plugged these security holes via Azure domain changes. So, after digging deeper and inspecting Teams in-browser, Turle uncovered a JavaScript element, angular-jquery, that could be used as an alternative.
jQuery with Angular is a JavaScript framework for managing HTML and CSS interactions. However, this version was out of date and vulnerabilities in the outdated version (1.5.14) – could be utilized to bypass the CSP.
After crafting a malicious iframe with help from HTML encoding, the researcher was able to create a malicious payload, sent via the stickers function in Teams, to trigger XSS, obtained through user interaction.
Turle disclosed the XSS issue to Microsoft on January 6. The vulnerability was patched in March and the researcher was awarded a $6,000 bug bounty.
-
Technology2 years ago
VoIP Number: Everything You Need To Know
-
Music1 month ago
[Music] Gnash Ft Olivia O’Brien – I Hate you, I Love you
-
Music1 month ago
[INSTRUMENTAL] John Legend – All Of Me
-
Music1 month ago
Alan Walker – Faded [INSTRUMENTAL]
-
Music1 month ago
[Video] 21 Savage ft. Offset & Metro Boomin – Rap Saved Me
-
Music1 month ago
[Instrumental] Wiz Khalifa – See You Again ft. Charlie Puth
-
ANE Stories4 months ago
[STORY] AMAKA THE LESBIAN (Complete Episodes)
-
Music1 month ago
[Music] Akon – Sorry Blame It On Me