[German]Another collective article on Microsoft Teams, which is widely used, but has a somewhat idiosyncratic implementation and above all is teeming with bugs and attracts negative attention in this regard every now and then. Today on offer: Since March 2021, Microsoft has been aware of four vulnerabilities in Teams that allow phishing via the link preview. And on Android, it can happen that Microsoft Teams blocks emergency calls. Here's a quick overview.
Phishing vulnerabilities in Microsoft Teams
Fabian Bräunlein, founder of German security firm Positive Security, encountered four vulnerabilities in Microsoft Teams back in the spring of 2021, which he reported to the Microsoft Security Response Center (MSRC) on March 10, 2021, according to this blog post.
- 1 – Server-Side Request Forgery
- 2 – URL preview spoofing
- 3 – IP address leak
- 4 – Message of Death (DoS)
The bugs are explained in detail in the linked blog post by the security researcher. The URL preview spoofing bug (number 2 in the list above) can be used by attackers for phishing attacks or to cloak malicious links. However, Microsoft's MSRC team does not see any problem in this bug and replied:
MSRC has investigated this issue and concluded that this is not an immediate threat that requires urgent attention because once the user clicks on the URL, they would have to go to that malicious URL, which would be an indication that it is not the one the user was expecting.
On March 25, 2021, the ticket in question was closed, Microsoft will not close this bug in the current version, they said. In the meantime we have the end of 2021 and the bug is still unpatched. Therefore, Fabian Bräunlein, who is not really happy because of the bug bounty for the Windows 10 vulnerability mentioned above (the screw-up by Microsoft is touched on here), has published the blog post on December 22, 2021 then – I came across the issue via this article.
Teams blocked emergency calls in Android
In mid-December 2021, it became known through various reports (I didn't have this on the blog, as I located it to emergency calls in the US) that users who had Microsoft Teams installed on Android may not be able to place emergency calls to 911. I'll link to this post from PC Magazine (English). There the boundary conditions and implications are explained. Microsoft has since released version 1416/18.104.22.1681194504 of the Teams Android app, which does not require uninstalling and then reinstalling the app to fix the problem.
Cookies helps to fund this blog: Cookie settings