Microsoft recently released a patch for a severe flaw found in Teams, that could have allowed bad actors to breach a user’s account. The vulnerability was discovered by Evan Grant, who works at Tenable, and is related to a feature in Microsoft Teams that allows users to launch apps as tabs within any team they are a part of.
The Power Apps tabs were discovered to be under the governance of an unsuitably anchored regular expression (insufficient input validation to be specific).
Upon opening the tabs, it became apparent that the validation mechanism did not appropriately confirm that the content in the tab was from a trusted source. The problem was surprising, given that this is not a particularly hard thing to do. When a tab was opened, the validation mechanism only confirmed the beginning of the URL.
Because of that, attackers exploiting the flaw could theoretically create a subdomain on a domain they control and load untrusted content. For instance, if the URL was (find.microapps.com), the validation system would only confirm this first section and if a malicious actor loaded a subdomain changing it to (find.microapps.hacker.ke) or something similar, they could load untrusted content to the theoretical ‘Micro Apps’ tab.
The researcher says that successfully exploiting this flaw can allow a hacker to control any of the users who access the infected tab. The information available to potential hackers will include group messages, email, the OneDrive storage service, and more.
With this level of access, the hacker can pretend to be a trusted employee, escalating the situation further, to gain even more access and make requests that could lead to theft and other malicious acts. Lucky for Teams users, it appears that the flaw is only on the server-side and was discovered and patched before any exploitation was seen in the wild.