CVE CyberSecurity Database News

CVE-2024-21374 - Peeking Under the Hood of the Microsoft Teams for Android Information Disclosure Vulnerability

Poster -

In early 2024, another security flaw made its way into the headlines—CVE-2024-21374—this time impacting the ever-popular Microsoft Teams app on Android devices. While Teams is widely used by businesses, schools, and individuals, this bug put user privacy at stake by potentially exposing sensitive information. Let’s break down what happened, why it matters, how it works, and what you should do.

What is CVE-2024-21374?

CVE-2024-21374 is cataloged as an information disclosure vulnerability in Microsoft Teams for Android. In basic terms, this means that, under certain conditions, private information from the app could be accessed by unauthorized parties.

Affected product:

Microsoft Teams for Android (several versions prior to the security update)

Severity:
- Microsoft rates it as “Important” (CVSS score 5.5/10 – Moderate severity in practice, but very real for privacy)

How Could Attackers Exploit This?

According to Microsoft’s advisory (MSRC release), the flaw stems from improper handling of information by Microsoft Teams for Android. Under specific attack scenarios—like a user clicking on a specially crafted notification or link—malicious applications on the same device could read sensitive data belonging to Teams.

You have another (malicious) app installed on your Android phone.

- With this vulnerability, the bad app could “snoop” data from Teams—like notification contents, parts of your messages, or user details.

This issue is not remote. The attacker must have some level of access to the user’s device, either by getting them to install a malicious app or by exploiting another Android vulnerability.

The Technical Details (Exploit in Practice)

Microsoft doesn’t share in-depth technical write-ups, but security analysts and third-party sources have pieced together the root issue: insecure inter-process communication (IPC) or weak storage permissions.

Here’s a simplified code snippet illustrating what might have gone wrong

// Hypothetical problematic Teams code:
public class NotificationService extends Service {
    @Override
    public int onStartCommand(Intent intent, int flags, int startId) {
        String message = intent.getStringExtra("msg_content");
        // Message is handled without properly validating the source
        displayNotification(message);
        return START_STICKY;
    }
}

// Malicious App:
Intent intent = new Intent();
intent.setComponent(new ComponentName("com.microsoft.teams", "com.microsoft.teams.NotificationService"));
intent.putExtra("msg_content", ">>> EXFILTRATE THIS <<<");
// Send fake intent, possibly reading or injecting sensitive data
context.startService(intent);

What’s happening here?
- The notification service in Teams might accept input from ANY app (not just Teams itself), letting an attacker inject or extract data.
- Or, Teams could be storing temporary files or logs in locations that don’t have strong Android permissions, making them readable by other apps.

Exploit Scenario Step-by-Step

1. Attacker deploys a trojan app (for example, a flashlight or game app) on the user’s Android phone.

App reads sensitive notifications, internal messages, or cached files.

4. Attacker extracts information—like organization names, contact info, or internal chats—that should have remained private.

Meeting titles and invite times

Sensitive business context (customer names, project codenames, etc.) could easily leak this way.

How Was It Fixed?

Microsoft patched Teams for Android in their February 2024 Patch Tuesday, tightening restrictions by:

Ensuring temporary files are stored in app-private directories

Patch details:
- Microsoft’s Security Guide for CVE-2024-21374

More References

- Microsoft Security Response Center: CVE-2024-21374
- NIST National Vulnerability Database: CVE-2024-21374
- Android Security Best Practices

Final Thoughts

CVE-2024-21374 highlights the reality that mobile apps from major vendors can leak information if not handled carefully. Even non-critical device vulnerabilities become powerful when chained with insecure app design. Always keep your apps and devices up-to-date, and remember: when it comes to privacy, even “moderate” risks are worth fixing.

If you’re a Teams for Android user, update today—your conversations and data are worth protecting.


*Written for the security-aware, by a security buff. Share safely!*

Timeline

Published on: 02/13/2024 18:15:55 UTC
Last modified on: 02/28/2024 23:15:09 UTC