Microsoft’s workplace-oriented messaging programme, Teams, has faced a number of problems that you wouldn’t expect other chat applications to face, such as last year when the Android app was blamed for disrupting the ability to place 911 calls on smartphones. The Teams app — at least the Android version this time — is back in the news, and not for the good reasons.
Vectra, a cybersecurity research group based in California, discovered a potentially catastrophic issue in the service’s desktop edition, in which authentication tokens are stored in plain text, making them open to a third-party assault.
The problem affects the Teams app, which runs on Windows, macOS, and Linux machines and is built on the company’s Electron platform. According to Vectra, an attacker with local or remote system access may theoretically steal these credentials. Microsoft is aware of the vulnerability, but it does not appear to be in a hurry to address it.
According to Vectra, a hacker with the necessary access might grab data from an online Teams user and perhaps impersonate them when they’re offline. This identity might then be used to bypass multifactor authentication (MFA) restrictions in programmes like Outlook or Skype. Vectra advises users to avoid using the Microsoft Teams desktop version until a remedy is released, or to utilise the Teams web app, which has extra precautions in place.
“Even more damaging, attackers can tamper with legitimate communications within an organization by selectively destroying, exfiltrating, or engaging in targeted phishing attacks,” Connor Peoples, security architect at Vectra, said. He notes that this particular vulnerability only exists on the desktop version of Teams due to a lack of “additional security controls to protect cookie data.”
To make its point to Microsoft, Vectra created a proof-of-concept exploit that allowed the researchers to send a message to the account of the individual whose access token had been compromised.
While the Electron platform makes it simple to create desktop apps, it lacks essential security features such as encryption and system-protected file locations. Although Microsoft does not believe this framework to be a severe issue, security researchers have consistently attacked it.
Dark Reading (via Engadget) contacted the firm for comment on the Teams vulnerability and received a lukewarm answer, stating that this security flaw “does not meet our criteria for quick servicing as it requires an attacker to first acquire access to a target network.” However, the business did not rule out the prospect of a future patch being released.
However, if you’re concerned about your security, it might be wise to leave the site alone for a bit.