Microsoft Teams: Positive Security researchers have discovered four vulnerabilities in Microsoft Teams that could allow an attacker to perform denial of service (DoS) attacks on Android phones and leak IP addresses, in addition to other malicious activities. The flaws exist since March and only one of them has been fixed so far, according to a statement released on Wednesday (22).
According to cybersecurity company co-founder Fabian Bräunlein, two of the four holes found in Microsoft’s messenger can be exploited on any device. They allow you to spoof server-side request (SSRF) and perform spoofing attacks when a cybercriminal pretends to be someone else.
The other two vulnerabilities in Teams specifically affect Android smartphones with the messaging app installed. If exploiting them, an external agent can leak the IP address of the devices and launch a DoS attack against cell phones, crashing the communication tool.
Exploiting the SSRF bug, the expert says it is possible to access and leak information from Microsoft’s local network. In turn, the spoofing loophole would help improve the effectiveness of phishing attacks and make it easier to hide malicious links, potentially containing various traps for victims.
Microsoft justifies itself
Bräunlein claims to have reported the discovery of bugs in Microsoft Teams to the Redmond giant on March 10 through the company’s rewards program for security researchers. However, the owner of Windows just fixed the loophole that allowed the leak of IPs on Android, so far.
On Threatpost, big tech revealed that the other flaws described by the researcher do not pose immediate threats to the program’s users. As such, the company has not yet released patches to fix them, but says it has taken some steps to increase security on the platform.