Microsoft’s workplace-oriented messaging app Teams has been through a number of controversies you wouldn’t expect other chat apps to deal with, including last year when the Android app was believed to be responsible for breaking the ability to make 911 calls on the devices. year. Well, the Teams app — not the Android one this time, at least — is in the news again and it’s not for the right reasons.
California-based cybersecurity research firm Vectra has discovered a potentially serious flaw in the desktop version of the service in which authentication tokens are stored in plain text, making them vulnerable to a third-party attack.
The issue affects the company’s Electron framework-based Teams app, which runs on Windows, macOS and Linux machines. Vectra says these credentials could theoretically be stolen by an attacker with local or remote system access. Microsoft is aware of this vulnerability, although the company doesn’t seem to be in a rush to fix it.
Vectra explains that a hacker with the required access could steal data from an online Teams user and potentially impersonate it when offline. This identity could then be used in applications like Outlook or Skype bypassing multi-factor authentication (MFA) requirements. Vectra recommends that users stay away from the Microsoft Teams desktop app until a fix is available or, alternatively, use the Teams web app which has additional protections in place.
“Even more damaging, attackers can alter legitimate communications within an organization by snuffing out, exfiltrating, or engaging in selectively targeted phishing attacks,” said Connor Peoples, security architect at Vectra. He notes that this particular vulnerability only exists on the desktop version of Teams due to a lack of “additional security controls to protect cookie data.”
To get its message across to Microsoft, Vectra even developed a proof of concept detailing the exploit, allowing researchers to send a message to the account of the person whose access token was compromised.
Although the Electron platform makes it easy to create applications for desktop computers, it does not include crucial security measures such as encryption. Security researchers have constantly criticized this framework, although Microsoft does not yet consider it a serious problem.
Cybersecurity news site Dark Reading (via Engadget) approached the company for comment on the Teams vulnerability and received a fairly lukewarm response, saying that this security flaw “does not meet our bar for a immediate service because it requires an attacker to first gain access to a target network.” However, the company hasn’t ruled out the possibility of a fix rolling out in the future.
That said, if you’re serious about your security, it might be best to leave the platform entirely alone for a while.