Microsoft has been accused of downplaying the impact of a set of remotely exploitable vulnerabilities in its Teams communications app, which a researcher said could open up organisations' internal networks and leak information without user interaction.
Some of the bugs Vegeris found allowed remote code execution with no interaction required, and could be silently executed by attackers entering channels as guest users.
This, Vegeris said, could have allowed for companies' internal networks to be compromised, and users' documents and messages on Office 365 to be intercepted.
He also speculated that the vulnerabilities could have been wormable - so that they spread in Microsoft Teams networks - if the recipients of the malicious messages automatically reposted them in their channels.
By exploiting a cross-site scripting vulnerability on the teams.microsoft.com website, Vegeris found that it was possible to capture the single sign-on (SSO) tokens for not just Teams but also other Microsoft services, such as Outlook, Skype and Office 365.
The five remote code execution bugs were reported to Microsoft in August this year, and patched at the end of October.
Vegeris said Microsoft did not assign Common Vulnerabilities and Exposures (CVE) indexes to the bugs since it has a policy of not doing so with products that automatically update.
Furthermore, while Microsoft considered the vulnerabilities to be within the scope of its Office 365 cloud bug bounty program, three months after Vegeris report it gave them the lowest possible "Important, Spoofing" rating rather than a critical rating for the browser Teams client.
The vulnerabilities in the desktop Teams clients for Windows, macOS and Linux were rated as "critical, remote code execution" but Vegeris said Microsoft considered the app to be out of scope for the bug bounty program.
Teams has become a popular collaboration tool as the Covid-19 pandemic forced millions of corporate employees to work remotely, along with competitors Slack, Zoom and Google Hangouts.