Teams, Microsoft’s workplace-focused messaging program, has been through various issues you wouldn’t expect other chat applications to deal with, such as when the Android app was thought to be responsible for breaking the ability to place 911 calls on devices the year before. The Teams app (but not the Android version) is again making headlines, but not for the right reasons.
The desktop version of the service contains a potentially significant issue, as authentication tokens are kept in plain text, leaving them open to a third-party attack, as discovered by Vectra, a California-based cybersecurity research group.
Teams, an app that uses the firm’s Electron framework and is available on Windows, macOS, and Linux, is vulnerable to the bug. According to Vectra, an attacker who has access to the system, either locally or remotely, could potentially take these credentials. Microsoft is aware of the issue but isn’t planning to issue a patch anytime soon.
According to Vectra, an authorized intruder might steal information about a user when logged into Teams online and use it to impersonate that person when they were not connected to the service. Using this identity, you may log in to different services with only one set of credentials, such as Outlook or Skype, without having to deal with MFA. Vectra suggests users avoid the Microsoft Teams desktop software until a patch is released or switch to the Teams web app with extra security measures.
More damaging still, according to Connor Peoples, security architect at Vectra, is the fact that “attackers can tamper with legitimate communications within an enterprise by deliberately deleting, exfiltrating, or participating in targeted phishing assaults.” Due to the absence of “additional security safeguards to protect cookie data,” he says, this flaw is present exclusively in the desktop version of Teams.
Vectra built a proof-of-concept outlining the vulnerability, allowing researchers to communicate with the victim whose access token was stolen. This helped the company make its case with Microsoft.
Electron is a popular platform for developing desktop apps. However, it lacks essential security features such as encryption. Security researchers have heavily attacked the framework, but Microsoft doesn’t see it as a significant problem just yet.
When cybersecurity news site Dark Reading (via Engadget) asked to comment on the Teams vulnerability, the business gave a lukewarm answer, claiming the flaw “does not satisfy our criteria for quick servicing as it needs an attacker first to get access to a target network.” However, a patch may be released in the future, and the business hasn’t ultimately ruled it out.
If you’re concerned about your privacy, you should stop using the site.