Security researchers have recently identified a vulnerability in the Microsoft Teams desktop app. The security flaw could allow attackers to access authentication tokens and accounts with multi-factor authentication (MFA) enabled.
According to the cybersecurity company Vectra, Microsoft Teams stores user authentication tokens in plain text on the device. It would allow threat actors with local access to an affected system to steal the tokens and remotely sign in to the compromised account. The vulnerability affects the desktop versions of Microsoft Teams on Windows, Mac, and Linux.
Vectra first discovered the security flaw and disclosed it to Microsoft in August this year. However, Microsoft believes that the exploit doesn’t meet its severity criteria for immediate patching, and it plans to fix the bug in a future update.
“Anyone who installs and uses the Microsoft Teams client in this state is storing the credentials needed to perform any action possible through the Teams UI, even when Teams is shut down. This enables attackers to modify SharePoint files, Outlook mail and calendars, and Teams chat files,” Vectra researchers explained.
The researchers added that attackers could use the vulnerability to hijack accounts of high profile employees (such as the CEO or CFO). It makes it easier to launch phishing campaigns and potentially disrupt the operations of an entire organization.
Migrate to the Microsoft Teams web app
Vectra recommends users to switch to the Microsoft Teams web client until Microsoft patches the flaw. It advises using the app in a secure web browser (such as Microsoft Edge) to reduce the risk of data leakage. Meanwhile, Microsoft Teams users who still want to use the Electron app should download tools like KeyTar to store their OAuth tokens.
Last year, Microsoft launched a revamped “Teams 2.0” desktop app in public preview. The new web-based Microsoft Teams client ditches the Electron framework in favor of Edge Webview 2. Electron applications are notoriously known to have security issues, and the new Teams app should provide better OS-level security to protect cookies and storage. However, there is no ETA on when it will be available for enterprise customers.
0 Comments