Wormable exploit found in Microsoft Teams

Home » Microsoft Teams

Reading time icon 1 min. read

Calendar icon Published on

by Surur Davids 

published on

Share this article

Readers help support MSpoweruser. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help MSPoweruser sustain the editorial team Read more

microsoft teams exploit

Security researcher Oskars Vegeris has revealed a wormable exploit for Microsoft Teams, which would exploit the chat client by only viewing a message, without any user interaction.

The result is a “complete loss of confidentiality and integrity for end-users — access to private chats, files, internal network, private keys and personal data outside MS Teams,” Vegeris said.

By exploiting another cross-site scripting (XSS) flaw present in the Teams ‘@mentions’ functionality and a JavaScript-based RCE payload, the code can also be spread to other users of the Teams app, making for a self-spreading exploit.

The exploit is also cross-platform, affecting Windows, Mac, Linux and even the web app.

Fortunately for Teams users, Vegeris discovered the flaw in August, and Microsoft released a patch not long after at the end of October 2020.

Vegeris had also earlier disclosed a critical “wormable” flaw in Slack’s desktop version that could have allowed an attacker to take over the system by simply sending a malicious file to another Slack user.

via Thehackernews

Surur Davids

Surur Davids Shield

Smartphone Expert

Surur Davids is the founder of WMPoweruser which later became MSPoweruser.com. He's a smartphone expert with over a decade of experience.

User forum

0 messages