Serious Vulnerability in Microsoft Teams That Could Expose Confidential Files

By   ISBuzz Team
Writer , Information Security Buzz | Jun 15, 2021 03:31 am PST

It has been disclosed that a serious vulnerability in Microsoft Teams has been discovered by Tenable’s Zero-Day Research Team. By abusing PowerApps functionality (a separate product used within Teams for building and using custom business apps), threat actors could gain persistent read/write access to a victim user’s email, Teams chats, OneDrive, Sharepoint, and a variety of other services by way of a malicious Microsoft Teams tab and Power Automate flows.

Exploit of this vulnerability is limited to authenticated users within a Teams organisation who have the ability to create Power Apps tabs, meaning it can’t be exploited by an untrusted/unauthenticated attacker. However, the permission to create these tabs is enabled by default, meaning a third-party contractor, disgruntled employee, or even an ex-employee whose access hasn’t been revoked could launch an attack.

Notify of
1 Expert Comment
Oldest Most Voted
Inline Feedbacks
View all comments
Jonathan Knudsen
Jonathan Knudsen , Senior Security Strategist
June 15, 2021 11:33 am

<p><span lang=\"EN-US\">Microsoft has a proud history of leading the industry in application security, ever since Bill Gates’ famous Trustworthy Computing email nearly twenty years ago. So what does it mean for the rest of us when a security researcher like Evan Grant finds a vulnerability in Microsoft products? In fact, we can all take heart from a few key aspects of this announcement.</span></p> <p> </p> <p><span lang=\"EN-US\">First, even when you do everything right, things can still go sideways. Using a secure development life cycle is the best way to reduce risk when building software, but you can never eliminate risk entirely. Therefore, having a plan in place to respond to incidents is critically important, which is exactly what happened here.</span></p> <p> </p> <p><span lang=\"EN-US\">Second, security researchers are an important part of the ecosystem, and can be friendly allies when treated properly. This means that your organization should have one clear place for researchers to report issues, and you must respond to all inbound correspondence in a timely and respectful manner.</span></p> <p> </p> <p><span lang=\"EN-US\">Finally, a solid, automated update procedure helps minimise the impact of disclosures like these. In this case, after Microsoft fixed the vulnerability, customers’ software was updated automatically.</span></p>

Last edited 2 years ago by Jonathan Knudsen

Recent Posts

Would love your thoughts, please comment.x