A safety researcher recognized a extreme XSS vulnerability affecting the Microsoft Groups software program. Exploiting the bug merely required an adversary to ship a maliciously crafted sticker by way of the app.
Microsoft Groups Vulnerability
Sharing the small print in a blog post, safety researcher Numan Turle acknowledged how he found an XSS vulnerability in Microsoft Groups.
As elaborated, the researcher discovered this bug whereas inspecting Microsoft Groups for a potential safety flaw. The researcher primarily targeted on how the Groups characteristic permitting sending and receiving stickers labored.
Particularly, Turle observed that Groups converts the sticker to a picture whereas sending it as a RichText/Html message. After sending the sticker, the researcher noticed that tapping on it displayed the alt attribute in a popup on the backside. That’s the place the researcher meddled by including sure characters which have been interpreted by the app.
Whereas Microsoft carried out a CSP to stop XSS assaults, the researcher observed a CSP fault that allowed HTML injection assaults. Utilizing Google’s CSP Evaluator device, the researcher noticed how the “script-src” area was marked as unsafe within the script, permitting HTML injection in opposition to a number of domains. The researcher might then additional analyze the app and discover an outdated angular-jquery model (1.5.14). This discovery enabled the researcher to bypass the CSP and set off the XSS flaw following the consumer interplay.
Microsoft Patched The Bug
After discovering the vulnerability, the researcher reached out to Microsoft officers by way of their bug bounty program. The researcher disclosed the bug to the MSRC crew in January 2022, in response to which Microsoft began engaged on a repair.
Ultimately, the tech large patched the vulnerability and acknowledged the researcher’s effort with a $6000 bounty because the reward.
So now, it implies that Microsoft Groups customers don’t have to fret about potential exploitation by way of this bug. Nonetheless, customers should guarantee operating the most recent app variations on their units to make sure receiving the patch.
Tell us your ideas within the feedback.