It has been disclosed that a serious vulnerability in Microsoft Teams has been discovered by Tenable’s Zero-Day Research Team. By abusing PowerApps functionality (a separate product used within Teams for building and using custom business apps), threat actors could gain persistent read/write access to a victim user’s email, Teams chats, OneDrive, Sharepoint, and a variety of other services by way of a malicious Microsoft Teams tab and Power Automate flows.
Exploit of this vulnerability is limited to authenticated users within a Teams organisation who have the ability to create Power Apps tabs, meaning it can’t be exploited by an untrusted/unauthenticated attacker. However, the permission to create these tabs is enabled by default, meaning a third-party contractor, disgruntled employee, or even an ex-employee whose access hasn’t been revoked could launch an attack.
<p><span lang=\"EN-US\">Microsoft has a proud history of leading the industry in application security, ever since Bill Gates’ famous Trustworthy Computing email nearly twenty years ago. So what does it mean for the rest of us when a security researcher like Evan Grant finds a vulnerability in Microsoft products? In fact, we can all take heart from a few key aspects of this announcement.</span></p> <p> </p> <p><span lang=\"EN-US\">First, even when you do everything right, things can still go sideways. Using a secure development life cycle is the best way to reduce risk when building software, but you can never eliminate risk entirely. Therefore, having a plan in place to respond to incidents is critically important, which is exactly what happened here.</span></p> <p> </p> <p><span lang=\"EN-US\">Second, security researchers are an important part of the ecosystem, and can be friendly allies when treated properly. This means that your organization should have one clear place for researchers to report issues, and you must respond to all inbound correspondence in a timely and respectful manner.</span></p> <p> </p> <p><span lang=\"EN-US\">Finally, a solid, automated update procedure helps minimise the impact of disclosures like these. In this case, after Microsoft fixed the vulnerability, customers’ software was updated automatically.</span></p>