Microsoft Teams security flaw lets hackers steal accounts – and there’s no fix in sight
>
There is a security flaw in Microsoft Teams that allows threat actors to log into other people’s accounts, even if those accounts are secured with multi-factor authentication, researchers claim.
Cybersecurity analysts at Vectra say the Teams desktop application for Windows, Linux and Mac stores user authentication tokens in plaintext, without locks guarding access. Anyone with local access to a system with Teams installed can steal these tokens and use them to log into the accounts.
“This attack doesn’t require special permissions or advanced malware to inflict major internal damage,” said Connor Peoples of Vectra. currently.
Active Tokens
The problem lies in the fact that Microsoft Teams is an Electron app that runs in a browser window. Since Electron doesn’t support encryption or secure file locations by default, it’s a bit easier to use, but also risky on the data protection side. Further analysis revealed that the tokens were not stored accidentally, or as part of a previous data dump.
“The audit found that these access tokens were active and not an accidental dump of a previous error. These access tokens gave us access to the Outlook and Skype APIs,” explains Vectra. In addition, the “cookies” folder also contained tokens, account information, session data, and other valuable information.
But Microsoft downplayed the whole thing, saying it’s not that serious and it doesn’t meet the criteria for patching.
In a statement sent to BleepingComputerMicrosoft said, “The technique described does not meet our immediate maintenance bar because an attacker must first gain access to a target network. We appreciate Vectra Protect’s collaboration in identifying and responsibly disclosing this issue and will consider address this in a future product release.”
Vectra, on the other hand, disagrees and to prove its point has developed an exploit that abuses an API call, allowing a user to send messages to themselves. Reading the cookies database through the SQLite engine allowed the exploit to receive the authentication tokens in a message.
If you are concerned about your business (opens in new tab) if the tokens are snatched, you’ll need to switch to the browser version of the Teams client, Vectra suggests. Linux users need to migrate to another collaboration (opens in new tab) platform too.
- These are the best VoIP (opens in new tab) solutions now
Through: BleepingComputer (opens in new tab)