Saturday, December 14, 2024
HomeMicrosoftMicrosoft Teams Chat Service Bug Let Hackers Gain Read/Write Access to a...

Microsoft Teams Chat Service Bug Let Hackers Gain Read/Write Access to a Victim User’s Teams Chats

Published on

SIEM as a Service

Cybersecurity researcher Evan Grant of the security firm Tenable has recently detected a vulnerability in the Microsoft Teams. And this vulnerability allows the threat actor to take control of the account of users.

By exploiting this flaw hackers can easily steal all the sensitive data like:-

  • User’s Teams messages
  • Emails
  • One Drive files

Apart from this, the threat actors can also send emails and messages to disguise themselves as the users so that they can trick their victims easily; but, luckily this vulnerability has been patched.

- Advertisement - SIEM as a Service

Malicious Microsoft Teams Tab

This feature is one of the default features of Microsoft Teams, and the security researcher Evan Grant affirmed that the threat actors are taking the advantage of this default key feature.

Microsoft Teams Tab feature enables the users to initiate small apps as a tab from the team they belong to, and this feature is applicable for all the users.

Here the power apps are the subset of the wider Microsoft Power Platform, and the main motive of initiating power apps is to store, manage and share team-specific data, apps, and flows. 

But the hackers are miserably abusing this default environment for their own benefits and privileges.

Thieving Tokens

All the power tabs are not built for equal purposes, but, Evan Grant claimed that the power App extension tab types, the app.powerapps.com page generally interacts with both of its teams, “Teams JS SDK” and “Child iFrame,” here just by using the javascript postMessage it communicates.

During an investigation, Grant remarked that the frame which was being replaced is getting access to the tokens from its parent window, and the most important part is that it doesn’t require any further authentication. 

Through this, the hackers are getting access to the tokens without any issue, since it doesn’t require any authentication to pass through.

Stealing more tokens, emails, messages, and files

Grant pronounced that, service.flow.microsoft.com tokens are taking more attention, as they can be easily abused by the threat actors to get access to more such tokens.

Once the threat actors get access to the tokens they can easily create a Power Automate flows, which would later allow them to get access to the user’s email from Outlook, files from OneDrive and SharePoint, Team messages, and many more.

Pieces of a PoC 

  • Office 365 (for Outlook access), and Teams connectors,
  • Flow that allows them to send emails as the user.
  • Flow that allows them to get all Teams messages from channels the victim is in and to send messages on their behalf.

Shortcomings

Moreover, one can carry out this attack, if he/she is a member of the Microsoft Teams; and this implies that this is a context of insider threat attack.

However, this attack can put a potential impact on the users and could be huge, especially if the motive of the threat actors is to hit an organization administrator.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

“Password Era is Ending,” Microsoft to Delete 1 Billion Passwords

Microsoft has announced that it is currently blocking an astounding 7,000 password attacks every...

Over 300,000 Prometheus Servers Vulnerable to DoS Attacks Due to RepoJacking Exploit

The research identified vulnerabilities in Prometheus, including information disclosure from exposed servers, DoS risks...

Reyee OS IoT Devices Compromised: Over-The-Air Attack Bypasses Wi-Fi Logins

Researchers discovered multiple vulnerabilities in Ruijie Networks' cloud-connected devices. By exploiting these vulnerabilities, attackers...

New Android Banking Malware Attacking Indian Banks To Steal Login Credentials

Researchers have discovered a new Android banking trojan targeting Indian users, and this malware...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

“Password Era is Ending,” Microsoft to Delete 1 Billion Passwords

Microsoft has announced that it is currently blocking an astounding 7,000 password attacks every...

Black Basta Ransomware Leverages Microsoft Teams To Deliver Malicious Payloads

In a resurgence since May 2024, the Black Basta ransomware campaign has exhibited a...

How to Securely Recover Corrupt SQL Databases and Prevent Data Loss in Cyberattacks

In the digital age, SQL databases are essential for storing and managing vast amounts...