JUMPSEC LABS

The JUMPSEC Lab is a place where the the technical team get creative and showcase their latest security research, publications, interesting news and general thoughts!  We love what we do and are passionate about security, with some great upcoming projects planned, bookmark our site and stick around to see what we are working on.

Advisory: IDOR in Microsoft Teams Allows for External Tenants to Introduce Malware

TL;DR Max Corbridge (@CorbridgeMax) and Tom Ellson (@tde_sec) of JUMPSEC’s Red Team recently discovered a vulnerability in the latest version of Microsoft Teams which allows for the possible introduction of malware into any organisations using Microsoft Teams in its default configuration. This is done by bypassing client-side security controls which prevent external tenants from sending files (malware in this case) to staff in your organisation. JUMPSEC has detailed remediation options, as...

read more

Microsoft Onenote Image Caching Bug (Confidential Information Leakage)

Bug Summary A security bug in the Microsoft Onenote allows images placed in user-created password-protected sections to be cached persistently in the user profile temporary directory folder: C:\Users\%username%\AppData\Local\Temp.  Analysing the content the temporary folder will reveal images that should be securely protected by Onenote.   Bug Scope This has only been tested with Microsoft Onenote 2013 with all known updates installed. Last testing on 01/03/2015.   Find the Bug Guide 1) Open...

read more