[rndgermandude]

Thing is, we don't know if this was found before by malicious actors and sold and/or abused.

This thing sounds like it is mostly pretty straight forward to find once you start looking - "you" being somebody experienced in this field of research, that is. At least you don't have to construct fancy weird machines (with type confusion, heap spraying and all those shenanigans). It comes down to finding something that can perform code execution in their internal API (here: "electronSafeIpc") and then finding a way to get there (here: angular escape bypass/not-properly-sanitized user provided data) and you can do both in javascript and don't have to read tons of machine code.

Given that Teams is a great target because of it's large and often corporate user base, I'd be surprised if none of the usual industrial espionage suspects (e.g. China, NSA, etc) had a look at Teams before. And I'd think the chance of them having found the same bug, or a related bug, once they looked is pretty good too.

From what I am hearing even the (US) military uses Teams sometimes... If that isn't incentive to look at this thing for "interested parties", then I don't know.

[robocat]

> This thing sounds like it is mostly pretty straight forward to find once you start looking

Most security bugs with 20/20 hindsight are "obvious" when explained well. Personally, I think that is an insulting and immature thing to say IMHO.

[oskarsv]

please check out how much code MS Teams actually has, before statements like this :)

(it’s more than 30MB of compressed JS)

[rndgermandude]

I didn't want to belittle your work, if you think that was the case. It's still outstanding to find things like that on your own, and a lot of work goes into it. Sorry if I gave the wrong impression.

I have analyzed foreign code bases of similar dimensions in the past myself and found critical bugs. The size doesn't say much, it comes down to identifying the "interesting" bits (like the electronSafeRpc in this case), which can be hard and tedious, but greatly reduces the code you have to look at in detail. My assertion is that if your name is e.g. China then you will not be turned off by that.

[oskarsv]

that electronSafeIpc API is actually not that interesting and a completely standard way to do things for ElectronJS apps.

No, I do agree - from my perspective C/C++ class bugs are more difficult. Maybe they see this as magic as well.

Still, it was painstaking work and in either case CountryX will easily surpass those difficulties.

[trasz]

30MB of hand-written JS? For what's basically a glorified chat client?

With that much code I'd expect an AI to talk to people so I don't have to.