A researcher on Wednesday reported that he had found a vulnerability in the "sticker" feature in Microsoft Teams that could let actors conduct cross-site scripting (XSS) attacks.
In a blog post, Numan Turle, a researcher from Gais Cyber Security, reported that he initially found CVE-2021-24114 last year, which was found to trigger an account takeover vulnerability in Teams iOS.
A year later, Turle dug deeper into the vulnerability and found potential attacks against multiple domains. Turle disclosed the XSS issue to the Microsoft Security Response Center on Jan. 6 and the vulnerability was patched in March. The researcher was awarded a $6,000 bug bounty for his work.
With any finding, there's a journey of discovery that every researcher goes through filled with a mixture of challenges to overcome, some with success, and sometimes failure, said Michael Skelton, senior director of security operations at Bugcrowd.
“Numan Turle does an excellent job in this writeup of breaking down step-by-step the journey he went through to take his discovery from the itch of ‘I think I have something,’ to a successful finding — instead of just presenting the final destination and payload that led to a bounty, allowing others to benefit from his work in future discoveries,” Skelton said.
Aaron Turner, CTO of SaaS protect at Vectra, added that it’s extremely important that security teams understand that Microsoft Teams is not just a collaboration app. Turner said security pros should think of Teams almost as an entire operating system, with the ability to load third-party apps, integrate with other SaaS apps via APIs, store data in ways that can lead to data loss incidents, and as has been shown with this disclosure: load an entire web browser that bad actors can attack using XSS techniques.
“The architecture of Microsoft Teams also has caused it to inherit many of the problems of previous Microsoft collaboration platforms like Lync and Skype for Business,” Turner said. “Security teams should do everything possible to harden Teams settings to assure that the overall attack surface is reduced and that all authorized Teams functions are hardened to their maximum extent, then monitor the posture of those settings frequently to assure that attackers do not degrade the security settings to allow for an opening that they could exploit.”
Mike Parkin, senior technical engineer at Vulcan Cyber, said XSS attacks have been an issue for a long time and it’s proven difficult to fully eradicate them.
“The more complex the code becomes, the easier it is to miss closing off all the potential vulnerabilities,” Parkin said.