Home United States USA — software API Security Weekly: Issue #138

API Security Weekly: Issue #138

234
0
SHARE

This week, we check out the recent vulnerabilities in Microsoft Teams and Instagram, the awesome-apisecurity repo in GitHub, and the upcoming DevSecCon24 …
Join the DZone community and get the full member experience. This week, we check out the recent vulnerabilities in Microsoft Teams and Instagram, the awesome-apisecurity repo in GitHub, and the upcoming DevSecCon24 conference. Evan Grant found a way to break into Microsoft Teams accounts by leveraging Microsoft Power Apps. Microsoft Power Apps and Power Automate services are meant to provide easy tools to add custom applications and flows to Teams. A small bug in Power Apps snowballed into a big issue, allowing attackers to create a Teams tab, steal the victim’s tokens through a rogue iFrame, and then use that token to gain persistent read/write access to the victim’s email, Teams chats, OneDrive, Sharepoint, and a variety of other services. Here’s a quick video on Grant’s proof of concept for gaining access to another user’s OneDrive file: The Teams tabs were checking the location of iFrames and ensuring that those began with https: // make. powerapps. com. However, Grant could circumvent this by simply creating a subdomain that starts with that string but is hosted on his own domain, like https: // make.

Continue reading...