Microsoft Teams Security Alert: IDOR Vulnerability Uncovered in Collaboration Tool
Researchers discovered IDOR vulnerability in Microsoft Teams' IDOR that lets attackers inject malware into any organization.
Medusa
3 mins
Researchers at JUMPSEC recently discovered a vulnerability in the security of Microsoft Teams. They tricked the system into thinking the malware was a file instead of a link by bypassing client-side controls. In this blog, we will cover the following:
What happened?
How researchers exploited IDOR in teams?
Microsoft’s response
Recommendation
How Akto can help?
Microsoft Teams Security Alert: What happened?
A recent advisory from JUMPSEC Labs has uncovered a dangerous vulnerability in the latest version of Microsoft Teams. Researchers Max Corbridge and Tom Ellson discovered an IDOR vulnerability that could allow malware to be introduced to a user's system. They found that the default Microsoft Teams configuration bypassed client-side security controls, enabling attackers to deliver malware via maliciously crafted files to target users.
"Microsoft Teams is the ultimate messaging app for your organization – a workspace for real-time collaboration and communication, meetings, file and app sharing. As of 2023, Microsoft Teams had 280 million daily active users. In 2022, the annual revenue of Microsoft Corporation was 198.27 billion." Read more here.
Users with a Microsoft account can connect with businesses or organizations using Microsoft Teams, known as external tenancies. Each external tenancy has its own Microsoft tenancy, and users from one tenancy can send messages to users in another. The name of the external tenancy is accompanied by an "External" banner when sending messages.
"IDOR (Insecure Direct Object Reference) vulnerability is a type of security vulnerability that occurs when an application allows unauthorized access to an object by modifying the value of a parameter used to directly reference that object. This can occur when an application fails to properly enforce access controls or properly validate user input." Read More here.
External messages often come with a warning, but people still click on them. This lets attackers send malware to the target. Researchers at JUMPSEC found a way around Microsoft Teams' security. They tricked the system into thinking the malware was a file instead of a link. This can fool most anti-phishing measures and is very dangerous for organizations.
How researchers exploited IDOR in teams?
Sending files to staff in another organization is not allowed, unlike with members of your own tenancy. See the below image.
But the JUMPSEC researchers found a way to get past security controls by using a traditional IDOR technique. They changed the IDs of the internal and external recipients on the POST request, which is usually located at /v1/users/ME/conversations/messages.
Also, the malware that's hosted on a SharePoint domain looks like a file to the victim user instead of a link. So, the target user is likely to download the malware without being warned.
The payload is hosted on a SharePoint domain and downloaded from there by the target, but it is disguised as a file rather than a link in the target's inbox.
Test for IDOR using the best proactive API Security product
Our customers love us for our proactive approach and world class API Security test templates. Try Akto's test library yourself in your testing playground. Play with the default test or add your own.
Microsoft Response
Microsoft has been informed of the vulnerability, but has not considered it to "meet the bar for immediate servicing". As a result, it is important for Microsoft Teams users to remain vigilant when interacting with emails from external tenants. It is recommended to review external tenant permission to message the firm's staff, maintain allow-lists for trusted external tenants, and train staff to tackle such threats.
Recommendations
After discovering this issue, the researchers reached out to Microsoft to let them know. While Microsoft acknowledges the bug, they have decided that it is not urgent enough to fix it immediately. Unfortunately, this means that the vulnerability still exists and could potentially harm organizations.
There are some recommended actions to protect against the IDOR vulnerability discovered in Microsoft Teams. These include:
To mitigate the IDOR vulnerability found in Microsoft Teams, take the following actions:
Review whether external tenants require permission to message the staff. If not, tighten security controls and remove the option in Admin Center > External Access.
Adjust security settings to allow communication only with trusted domains if communication with external tenants is necessary, but only with specific organizations.
Educate staff about the dangers of productivity apps like Teams, Slack, and SharePoint for launching social engineering campaigns.
Remember that using alternative communication methods to email does not guarantee protection from phishing attacks. Phishing attacks can occur through any communication method, such as messaging apps or social media.
How Akto can help?
API vulnerabilities can be a real headache for individuals and organizations alike. Fortunately, Akto has got you covered! Our software is designed to detect and prevent API vulnerabilities, ensuring that your valuable data is safe from cybercriminals.
With Akto, you can easily scan for API vulnerabilities such as IDOR continuously before every release. Check for IDOR with Akto today.
Keep reading
News
7 mins
March Product News: 98 New Tests, Dynamic wordlists, and more
This edition of Akto’s newsletter is packed with new features and tests that will greatly decrease your API Security testing time and increase targeted testing.
Product updates
5 mins
Detailed Errors on Postman and Swagger File Import
Akto now replays APIs to automatically get data during an import of Postman and Swagger files and transparently displays reasons why each specific API couldn't be replayed in the case of an error.
Product updates
5 mins
Added 98 New API Security Tests across 5 OWASP categories
Akto has introduced new tests across several categories including BOLA, Broken Authentication, Unrestricted Resource Consumption, BFLA, and SSRF that you can explore with Akto’s Test Editor.