Concerningly, the vulnerability would give hackers visibility of end user accounts simply by seeing a message. In other words, no interaction by the user is needed to enact an exploit of the flaw. According to security researcher Oskars Vegeris, this is a wormable exploit in Microsoft Teams could target a vulnerability. It would access the client chat and view the messes resulting in a “complete loss of confidentiality and integrity for end-users — access to private chats, files, internal network, private keys and personal data outside MS Teams.” Vegeris points to a vulnerability in a cross-site scripting (XSS) and a JavaScript RCE payload component in Microsoft Teams. This flaw is found in the @mentions feature of the service. If an attacker exploits this security hole, they could gain access to other parts of the app. Because it affects a universal Teams feature, the wormable exploit is found across platforms, so Windows, Linux, Mac, and the web versions.
Fix
This is clearly a problematic vulnerability but Vegeris says he originally found the flaw in August. He reported it to Microsoft at the time. During an October round of updates, the company issued a patch for this vulnerability. That means it is worthwhile ensuring your Teams apps are up to date. Interestingly, the researcher also found a wormable vulnerability in Microsoft Teams rival Slack. He says this flaw would allow a threat actor to control the Slack app by sending a malicious file to another user. However, unlike the Teams flaw this would require user interaction.
