Security researchers from Positive Security have discovered four vulnerabilities in Microsoft Teams app that could possibly be exploited by attackers.
These vulnerabilities allow spoofing the link previews and even access to internal Microsoft services. Additionally, for Android users, this vulnerability could leak IP addresses and DoS attacks to their Teams channels.
Two of the bugs found can be used on any device and allow spoofing and SSRF or server-side request forgery, while the other two can only affect Android smartphones which can be exploited to leak IP addresses for DOS or Denial of Service attacks.
Once the SSRF vulnerability was exploited, the researchers were able to leak information from Microsoft’s local network while the spoofing bug could be used to improve phishing attacks or to hide the malicious links.
These 4 separate discoveries were reported to Microsoft back in March 2021 who has remediated only one vulnerability related to IP address leak in Teams on Android.
Microsoft has told the researchers that the other 3 bugs don’t pose an immediate threat to Teams users.