Remotely exploitable Microsoft Teams bugs required no interaction

Microsoft has been accused of downplaying the impact of a set of remotely exploitable vulnerabilities in its Teams communications app, which a researcher said could open up organisations' internal networks and leak information without user interaction.

Security engineer Oskars Vegeris discovered it was possible to bypass security measures in the AnglularJS and ElectronJS Javascript frameworks, and inject code into Teams chats messages.

Some of the bugs Vegeris found allowed remote code execution with no interaction required, and could be silently executed by attackers entering channels as guest users.

This, Vegeris said, could have allowed for companies' internal networks to be compromised, and users' documents and messages on Office 365 to be intercepted.

He also speculated that the vulnerabilities could have been wormable - so that they spread in Microsoft Teams networks - if the recipients of the malicious messages automatically reposted them in their channels.

By exploiting a cross-site scripting vulnerability on the teams.microsoft.com website, Vegeris found that it was possible to capture the single sign-on (SSO) tokens for not just Teams but also other Microsoft services, such as Outlook, Skype and Office 365.

The five remote code execution bugs were reported to Microsoft in August this year, and patched at the end of October.

Vegeris said Microsoft did not assign Common Vulnerabilities and Exposures (CVE) indexes to the bugs since it has a policy of not doing so with products that automatically update.

Furthermore, while Microsoft considered the vulnerabilities to be within the scope of its Office 365 cloud bug bounty program, three months after Vegeris report it gave them the lowest possible "Important, Spoofing" rating rather than a critical rating for the browser Teams client.

The vulnerabilities in the desktop Teams clients for Windows, macOS and Linux were rated as "critical, remote code execution" but Vegeris said Microsoft considered the app to be out of scope for the bug bounty program.

Teams has become a popular collaboration tool as the Covid-19 pandemic forced millions of corporate employees to work remotely, along with competitors Slack, Zoom and Google Hangouts.