According to the security company Vectra, Microsoft Teams saves authentication tokens in unencrypted plaintext mode, giving hackers the opportunity to manage internal communications.
Microsoft acknowledged the problem but stated that it had no immediate plans to remedy it because an exploit would also need network access. It would, though, take into account fixing it in a subsequent product release.
Teams for Windows, macOS, and Linux desktop versions all contain the flaw. Threat actors can access user credentials without needing administrator privileges if they have local (physical) or remote access to a victim’s system.
Even if 2-factor authentication was enabled on the account, hackers may still access other connected apps like Skype and Outlook. This might be abused to alter data, impersonate other users, or create targeted phishing attacks.
“This enables attackers to modify SharePoint files, Outlook mail and calendars, and Teams chat files,” Vectra security architect Connor Peoples wrote. “Even more damaging, attackers can tamper with legitimate communications within an organization by selectively destroying, exfiltrating, or engaging in targeted phishing attacks.”
Vectra developed a proof-of-concept exploit that gave them the ability to use an access token to send a message to the credential holder’s account. “Assuming full control of critical seats–like a company’s Head of Engineering, CEO, or CFO — attackers can convince users to perform tasks damaging to the organization.”
The issue is primarily restricted to the desktop application since, unlike contemporary web browsers, the Electron framework (which simply generates a web app port) “has no additional security safeguards to protect cookie data.”
Vectra advises utilising the web application rather than the desktop programme until a patch is developed.
Threat researcher John Bambenek told Dark Reading that in the event of a network compromise, it might offer a backup method for “lateral movement.” Additionally, he mentioned that Microsoft is pursuing Progressive Web Apps, which “would reduce many of the difficulties currently brought about by Electron.”