According to analysts at cybersecurity firm Vectra, there is a massive vulnerability in Microsoft Teams and countless users could potentially be affected if hackers get their hands on it.
The program has a flaw that allows attackers to steal user credentials and log into their accounts. Unfortunately, Microsoft currently has no plans to patch this, so read on to make sure you’re safe from this unexpected Microsoft Teams issue.
This bug, first discovered in August 2022, is quite serious, but also not that easy to execute. It applies to desktop versions of Microsoft Teams software (so not the browser version) and affects users on Windows, Linux, and Mac.
It all depends on how Teams stores user authentication tokens – in plain text, with no additional protection. That would be devastating if it didn’t depend on one crucial factor: an attacker must have local access to the system on which Microsoft Teams is installed.
Assuming an attacker has local access to the network, they could steal the authentication tokens and log into the victim’s account.
Connor Peoples, a Vectra researcher, said the threat runs deeper than just an account being compromised; It allows the attacker to hijack accounts that could potentially disrupt the operations of an entire organization.
“[Taking] Gaining control of critical jobs — like a company’s chief technology officer, CEO, or CFO — attackers can convince users to perform tasks that are detrimental to the business,” Peoples said in the report.
How does it all work? Bleeping Computer explained it in more detail, but the short story is that Microsoft Teams is an Electron app and includes all the elements required for any normal webpage, such as cookies and session strings. Electron does not support file encryption or setting up protected storage locations, which is why user credentials are not protected as they should.
During its research, Vectra found a file with access to user tokens in plain text. “Upon verification, these access tokens were found to be active and not an accidental dump of a previous bug. These access tokens gave us access to the Outlook and Skype APIs,” the company’s report said.
Further research uncovered even more data, including valid authentication tokens and account information. Vectra also found a way to exploit the app and was able to receive the tokens in its own chat window.
It’s concerning that this vulnerability is currently out there, but Microsoft doesn’t consider it big enough to prioritize patching. A Microsoft spokesman told Bleeping Computer: “The technique described does not meet our needs for immediate servicing, as an attacker must first gain access to a target network. We appreciate Vectra Protect’s partnership in identifying and responsibly disclosing this issue and will consider addressing it in a future product release.”
In the meantime, if you’re concerned about the security of your Teams account, it’s a good idea to switch to the browser version of Teams instead of the desktop client. However, Linux users are advised to simply switch to another app – especially since Microsoft plans to stop supporting the Linux version of Teams by the end of this year.