Wormable exploit found in Microsoft Teams

Reading time icon 1 min. read

Readers help support MSPoweruser. When you make a purchase using links on our site, we may earn an affiliate commission. Tooltip Icon

Read the affiliate disclosure page to find out how can you help MSPoweruser effortlessly and without spending any money. Read more

microsoft teams exploit

Security researcher Oskars Vegeris has revealed a wormable exploit for Microsoft Teams, which would exploit the chat client by only viewing a message, without any user interaction.

The result is a “complete loss of confidentiality and integrity for end-users — access to private chats, files, internal network, private keys and personal data outside MS Teams,” Vegeris said.

By exploiting another cross-site scripting (XSS) flaw present in the Teams ‘@mentions’ functionality and a JavaScript-based RCE payload, the code can also be spread to other users of the Teams app, making for a self-spreading exploit.

The exploit is also cross-platform, affecting Windows, Mac, Linux and even the web app.

Fortunately for Teams users, Vegeris discovered the flaw in August, and Microsoft released a patch not long after at the end of October 2020.

Vegeris had also earlier disclosed a critical “wormable” flaw in Slack’s desktop version that could have allowed an attacker to take over the system by simply sending a malicious file to another Slack user.

via Thehackernews

More about the topics: exploit, Microsoft Teams, security