California-based cybersecurity research firm Vectra has uncovered a potentially serious flaw in the desktop version of the service wherein authentication tokens are stored in plain text, making them vulnerable to a third-party attack.
The issue affects the Teams app based on the company’s Electron framework, which runs on Windows, macOS, and Linux machines. Vectra says that these credentials could theoretically be stolen by an attacker who has local or remote system access. Microsoft is aware of this vulnerability, although the company doesn’t seem to be in a hurry to fix it.
***
Vectra elaborates that a hacker with the requisite access could steal data from an online Teams user and potentially mimic them when they’re offline. This identity could then be used across apps like Outlook or Skype by circumventing the multifactor authentication (MFA) requirements. Vectra recommends users to stay away from the Microsoft Teams desktop app until a fix is available or, alternatively, use the Teams web app which has additional safeguards in place.
***
lennyesq 