Microsoft Team’s Unpatched URL Spoofing Vulnerability

  1. Log in to Microsoft Team and select any user to send a message. Now insert any link in the message Textarea and close the preview. (here we use https://www.microsoft.com/ ).
  2. Now click on send and intercept that request in burpsuite. in the burpsuite you can see the message’s payload in cleartext. here you can see that Microsoft uses an anchor tag for URL creation in chat which is easily edited by anyone.
No

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Priyank Raval

Priyank Raval

Cybersecurity enthusiast | Red Team | Love Recon | Learner