An XSS Vulnerability Riddled Microsoft Teams

A security researcher identified a severe XSS vulnerability affecting the Microsoft Teams software. Exploiting the bug merely required an adversary to send a maliciously crafted sticker via the app.

Microsoft Teams Vulnerability

Sharing the details in a blog post, security researcher Numan Turle stated how he discovered an XSS vulnerability in Microsoft Teams.

As elaborated, the researcher found this bug while inspecting Microsoft Teams for a possible security flaw. The researcher mainly focused on how the Teams feature allowing sending and receiving stickers worked.

Specifically, Turle noticed that Teams converts the sticker to an image while sending it as a RichText/Html message. After sending the sticker, the researcher observed that tapping on it displayed the alt attribute in a popup at the bottom. That’s where the researcher meddled by adding certain characters which were interpreted by the app.

While Microsoft implemented a CSP to prevent XSS attacks, the researcher noticed a CSP fault that allowed HTML injection attacks. Using Google’s CSP Evaluator tool, the researcher observed how the “script-src” field was marked as unsafe in the script, allowing HTML injection against multiple domains. The researcher could then further analyze the app and find an outdated angular-jquery version (1.5.14). This discovery enabled the researcher to bypass the CSP and trigger the XSS flaw following the user interaction.

Microsoft Patched The Bug

After discovering the vulnerability, the researcher reached out to Microsoft officials via their bug bounty program. The researcher disclosed the bug to the MSRC team in January 2022, in response to which Microsoft started working on a fix.

Eventually, the tech giant patched the vulnerability and acknowledged the researcher’s effort with a $6000 bounty as the reward.

So now, it means that Microsoft Teams users don’t have to worry about potential exploitation via this bug. Nonetheless, users must ensure running the latest app versions on their devices to ensure receiving the patch.

Let us know your thoughts in the comments.

Related posts

C2A Security’s EVSec Risk Management and Automation Platform Gains Traction in Automotive Industry as Companies Seek to Efficiently Meet Regulatory Requirements

ZenHammer Memory Attack Exploits Rowhammer Against AMD CPUs

Sign1 Malware Targeted Over 2500 WordPress Sites In Recent Campaign