Upcoming Webinar
Cayosoft Shows How Forest Recovery Tech Addresses Survey Issues
Join this webinar and not only learn about what your peers are doing, but also learn about a new patent-pending modern approach to AD forest recovery from Cayosoft.
New episode!
The Scoop on Loop: The Latest Innovations Directly From Microsoft!
Darrell Webster speaks to Rebecca Keys, a Program Manager from the Microsoft Loop team.
Turn Data Protection into an MRR Growth Engine
Security for your customers, revenue for your MSP practice. Access key insights on how to scale your practice with SkyKick’s new eGuide.
MSP eGuide to Package, Sell and Deliver M365 Security Services
Based on input from our top-performing MSPs, SkyKick prepared the MSP Guide to help you navigate the security landscape.

Microsoft: Token-Mining Vulnerability in Teams is Not Critical to Fix

Security researchers have recently identified a vulnerability in the Microsoft Teams desktop app. The security flaw could allow attackers to access authentication tokens and accounts with multi-factor authentication (MFA) enabled.

According to the cybersecurity company Vectra, Microsoft Teams stores user authentication tokens in plain text on the device. It would allow threat actors with local access to an affected system to steal the tokens and remotely sign in to the compromised account. The vulnerability affects the desktop versions of Microsoft Teams on Windows, Mac, and Linux.

“Anyone who installs and uses the Microsoft Teams client in this state is storing the credentials needed to perform any action possible through the Teams UI, even when Teams is shut down. This enables attackers to modify SharePoint files, Outlook mail and calendars, and Teams chat files,” Vectra researchers explained.

Security Researchers Find Critical Vulnerability in Microsoft Teams

The researchers added that attackers could use the vulnerability to hijack accounts of high-profile employees (such as the CEO or CFO). It makes it easier to launch phishing campaigns and potentially disrupt the operations of an entire organization.

Microsoft to patch the Teams flaw in a future update

Vectra first discovered the security flaw and disclosed it to Microsoft in August this year. However, Microsoft believes that the exploit doesn’t meet its severity criteria for immediate patching, and it plans to fix the bug in a future update.

“The technique described does not meet our bar for immediate servicing as it requires an attacker to first gain access to a target network. We appreciate Vectra Protect’s partnership in identifying and responsibly disclosing this issue and will consider addressing in a future product release,” a Microsoft spokesperson said in a statement to Bleeping Computer.

Last year, Microsoft started working on a new web-based “Teams 2.0” desktop app, which ditches the Electron framework in favor of Edge Webview 2. All Electron applications have some known security issues, and the new Teams app should provide better OS-level security to protect cookies and storage. However, there is no ETA on when it will be available for enterprise customers.

by Rabia Noureen
Sep 19, 2022

Rabia comes from a solid IT background and has been writing professionally about Microsoft products and other technology for four years. Rabia has also written for OnMSFT.com as well as Windows Report. She is always up to date on the latest trends in...

GET-IT: Submit Your Questions for Microsoft Teams Product Manager Anupam Pattnaik

Nov 16, 2023
Microsoft Will Make Teams 2.0 the Default Client Later This Year

May 30, 2023
How to Grant Full Mailbox Access to Users in Office 365 and Exchange Server

Aug 4, 2023
Aug 08, 2023

Take our survey

PETRI NEWSLETTERS

Join Petri Insider

Create a free account today to participate in forum conversations, comment on posts and more.