Microsoft’s workplace-oriented messaging app, Teams, has been through a series of controversies you wouldn’t expect other chat apps to resolve, including last year when the Android app was held responsible for breaking the ability to make 911 calls in devices last year. Well, the Teams app — not the Android one this time, at least — is in the news again, and it’s not for the right reasons.
California-based cybersecurity research firm Vectra has discovered a potentially serious flaw in the desktop version of the service in which authentication tokens are stored in plain text, making them vulnerable to a third-party attack. .
The issue affects the company’s Electron framework-based Teams app, which runs on windows, macOS, and Linux machines. Vectra He says that these credentials could theoretically be stolen by an attacker who has access to the local or remote system. Microsoft is aware of this vulnerability, although the company does not appear to be in a rush to fix it.
Vectra explains that a hacker with the necessary access could steal data from a Teams user online and potentially mimic them when they’re offline. This identity could then be used in applications such as Outlook or Skype bypassing multi-factor authentication (MFA) requirements. Vectra recommends users to stay away from the Microsoft Teams desktop app until a fix is available, or alternatively use the Teams web app which has additional security measures.
“Even more damaging, attackers can disrupt legitimate communications within an organization by destroying, exfiltrating, or engaging in spear phishing attacks,” said Connor Peoples, security architect at Vectra. He notes that this particular vulnerability only exists in the desktop version of Teams due to a lack of “additional security controls to protect cookie data.”
To convey your point of view to MicrosoftVectra even developed a proof of concept detailing the exploit, allowing researchers to send a message to the account of the person whose access token was compromised.
While the Electron platform makes it easy to build desktop applications, it doesn’t include crucial security measures. like encryption or system-protected file locations, standard. Security researchers have consistently criticized this framework, although Microsoft does not yet consider it a serious problem.
cybersecurity news site dark reading (via gadget) approached the company for comment on the Teams vulnerability and received a rather tepid response, saying that this security loophole “does not meet our out-of-the-box standard of service, as it requires an attacker to first gain access to a network of destiny”. However, the company did not rule out the possibility of implementing a solution in the future.
That said, if you’re serious about your security, it might be best to leave the platform alone for a while.
UPDATE: 2022/09/18 16:10 EST BY JULES WANG
There has been some controversy surrounding Vectra’s claim, which we have relayed in this story, that Electron does not support encryption. It does indeed support secure store string encryption, but that was only a recent change introduced with Electron v15 last year (via DevStyleR), although a fresh install of Microsoft Teams on one of our Windows machines brought version 10.4.7.