Microsoft Teams Security Alert: IDOR Vulnerability Uncovered in Collaboration Tool
Researchers discovered IDOR vulnerability in Microsoft Teams' IDOR that lets attackers inject malware into any organization.
Medusa
3 mins
Researchers at JUMPSEC recently discovered a vulnerability in the security of Microsoft Teams. They tricked the system into thinking the malware was a file instead of a link by bypassing client-side controls. In this blog, we will cover the following:
What happened?
How researchers exploited IDOR in teams?
Microsoft’s response
Recommendation
How Akto can help?
Microsoft Teams Security Alert: What happened?
A recent advisory from JUMPSEC Labs has uncovered a dangerous vulnerability in the latest version of Microsoft Teams. Researchers Max Corbridge and Tom Ellson discovered an IDOR vulnerability that could allow malware to be introduced to a user's system. They found that the default Microsoft Teams configuration bypassed client-side security controls, enabling attackers to deliver malware via maliciously crafted files to target users.
"Microsoft Teams is the ultimate messaging app for your organization – a workspace for real-time collaboration and communication, meetings, file and app sharing. As of 2023, Microsoft Teams had 280 million daily active users. In 2022, the annual revenue of Microsoft Corporation was 198.27 billion." Read more here.
Users with a Microsoft account can connect with businesses or organizations using Microsoft Teams, known as external tenancies. Each external tenancy has its own Microsoft tenancy, and users from one tenancy can send messages to users in another. The name of the external tenancy is accompanied by an "External" banner when sending messages.
"IDOR (Insecure Direct Object Reference) vulnerability is a type of security vulnerability that occurs when an application allows unauthorized access to an object by modifying the value of a parameter used to directly reference that object. This can occur when an application fails to properly enforce access controls or properly validate user input." Read More here.
External messages often come with a warning, but people still click on them. This lets attackers send malware to the target. Researchers at JUMPSEC found a way around Microsoft Teams' security. They tricked the system into thinking the malware was a file instead of a link. This can fool most anti-phishing measures and is very dangerous for organizations.
How researchers exploited IDOR in teams?
Sending files to staff in another organization is not allowed, unlike with members of your own tenancy. See the below image.
But the JUMPSEC researchers found a way to get past security controls by using a traditional IDOR technique. They changed the IDs of the internal and external recipients on the POST request, which is usually located at /v1/users/ME/conversations/messages.
Also, the malware that's hosted on a SharePoint domain looks like a file to the victim user instead of a link. So, the target user is likely to download the malware without being warned.
The payload is hosted on a SharePoint domain and downloaded from there by the target, but it is disguised as a file rather than a link in the target's inbox.
Microsoft Response
Microsoft has been informed of the vulnerability, but has not considered it to "meet the bar for immediate servicing". As a result, it is important for Microsoft Teams users to remain vigilant when interacting with emails from external tenants. It is recommended to review external tenant permission to message the firm's staff, maintain allow-lists for trusted external tenants, and train staff to tackle such threats.
Recommendations
After discovering this issue, the researchers reached out to Microsoft to let them know. While Microsoft acknowledges the bug, they have decided that it is not urgent enough to fix it immediately. Unfortunately, this means that the vulnerability still exists and could potentially harm organizations.
There are some recommended actions to protect against the IDOR vulnerability discovered in Microsoft Teams. These include:
To mitigate the IDOR vulnerability found in Microsoft Teams, take the following actions:
Review whether external tenants require permission to message the staff. If not, tighten security controls and remove the option in Admin Center > External Access.
Adjust security settings to allow communication only with trusted domains if communication with external tenants is necessary, but only with specific organizations.
Educate staff about the dangers of productivity apps like Teams, Slack, and SharePoint for launching social engineering campaigns.
Remember that using alternative communication methods to email does not guarantee protection from phishing attacks. Phishing attacks can occur through any communication method, such as messaging apps or social media.
How Akto can help?
API vulnerabilities can be a real headache for individuals and organizations alike. Fortunately, Akto has got you covered! Our software is designed to detect and prevent API vulnerabilities, ensuring that your valuable data is safe from cybercriminals.
With Akto, you can easily scan for API vulnerabilities such as IDOR continuously before every release. Check for IDOR with Akto today.
Keep reading
API Security
8 minutes
Security Information and Event Management (SIEM)
SIEM aggregates and analyzes security data across an organization to detect, monitor, and respond to potential threats in real time.
News
8 mins
Akto Recognized as a High Performer in G2’s Fall 2024 Reports for API Security and DAST
We’re proud to announce that Akto has been named a High Performer in both the API Security and Dynamic Application Security Testing (DAST) in G2’s Fall 2024 reports.
Product updates
5 minutes
Introducing Akto Code: Automated API Discovery from source Code
Akto Code is the new addition to Akto's API Discovery suite, complementing our existing capabilities for traffic source analysis in production and lower environments.