
close
close
Chance to win $250 in Petri 2023 Audience Survey
Security researchers have recently identified a vulnerability in the Microsoft Teams desktop app. The security flaw could allow attackers to access authentication tokens and accounts with multi-factor authentication (MFA) enabled.
According to the cybersecurity company Vectra, Microsoft Teams stores user authentication tokens in plain text on the device. It would allow threat actors with local access to an affected system to steal the tokens and remotely sign in to the compromised account. The vulnerability affects the desktop versions of Microsoft Teams on Windows, Mac, and Linux.
“Anyone who installs and uses the Microsoft Teams client in this state is storing the credentials needed to perform any action possible through the Teams UI, even when Teams is shut down. This enables attackers to modify SharePoint files, Outlook mail and calendars, and Teams chat files,” Vectra researchers explained.
The researchers added that attackers could use the vulnerability to hijack accounts of high-profile employees (such as the CEO or CFO). It makes it easier to launch phishing campaigns and potentially disrupt the operations of an entire organization.
Vectra first discovered the security flaw and disclosed it to Microsoft in August this year. However, Microsoft believes that the exploit doesn’t meet its severity criteria for immediate patching, and it plans to fix the bug in a future update.
“The technique described does not meet our bar for immediate servicing as it requires an attacker to first gain access to a target network. We appreciate Vectra Protect’s partnership in identifying and responsibly disclosing this issue and will consider addressing in a future product release,” a Microsoft spokesperson said in a statement to Bleeping Computer.
Last year, Microsoft started working on a new web-based “Teams 2.0” desktop app, which ditches the Electron framework in favor of Edge Webview 2. All Electron applications have some known security issues, and the new Teams app should provide better OS-level security to protect cookies and storage. However, there is no ETA on when it will be available for enterprise customers.
More in Microsoft Teams
Microsoft Teams Adds Native Elgato Stream Deck Integration for Managing Meetings and Webinars
Feb 3, 2023 | Rabia Noureen
M365 Changelog: (Updated) Microsoft Teams: Video Filters in Teams Meetings
Feb 2, 2023 | Rabia Noureen
M365 Changelog: Delete or rename files in a channel and in your OneDrive folder in Teams
Feb 2, 2023 | Rabia Noureen
M365 Changelog: (Updated) Microsoft Teams - Busy-on-busy End User Setting
Feb 2, 2023 | Rabia Noureen
M365 Changelog: (Updated) Quick Access Teams and Sharepoint Document Libraries in win32 backstage
Feb 2, 2023 | Rabia Noureen
Most popular on petri