A fresh report by cybersecurity firm Vectra, claims Microsoft Teams stores authentication tokens in unencrypted plain text, allowing attackers to potentially take control of user’s communications.
According to the report, the bug affects Windows, Mac, and Linux desktop applications built using the Microsoft Electron platform. Microsoft is aware of this issue but says it has no plans to fix it in the near future as the exploit also requires network access.
Anyone with a local or remote system access could hack the credentials of a Teams user who is currently online and then impersonate them even if they are offline. He or she can also pretend to be a user through Teams-related apps like Skype or Outlook, bypassing the multi-factor authentication (MFA) that’s usually required.
“This enables attackers to modify SharePoint files, Outlook mail and calendars, and Teams chat files,” Vectra security architect Connor Peoples wrote. “Even more damaging, attackers can tamper with legitimate communications within an organisation by selectively destroying, exfiltrating, or engaging in targeted phishing attacks.”
Vectra Protection Team says it has created a proof-of-concept exploit that can use an access token to send a message to a credential owner’s account. “An attacker can take full control of a key position, such as the CTO, CEO, or CFO of a company, in order to convince users to take actions that harm the organization.”
The cybersecurity firm has confirmed that this only affects Microsoft Teams desktop applications. The Electron platform (which ports web applications by default) “has no additional security controls to protect cookie data”, unlike modern web browsers. It now recommends people to use the web app instead of the desktop app until a patch is created.
Cybersecurity news site Dark Reading claims it has reported the issue to Microsoft. However, the software company says it “does not meet our bar for immediate servicing as it requires an attacker to first gain access to a target network.” Microsoft added that it would consider addressing this vulnerability in a future product release.
Threat hunter John Bambenek then informed Dark Reading that it could provide a secondary means for “lateral movement” in the event of a network breach.
He also noted that Microsoft is moving toward Progressive Web Apps that “would mitigate many of the concerns currently brought by Electron.”
Last year, Microsoft launched a new product – Safe Links in Microsoft Defender for Office 365 – for Teams it claimed would protect users against potentially dangerous phishing URLs.
Even with email-based phishing attacks proving to be more successful than ever, cyberattackers are ramping up their efforts to target employees on additional platforms, such as Microsoft Teams and Slack.
One advantage is that in those applications, most employees still assume that they’re actually talking to their boss or coworker when they receive a message.
It appears that hackers now view widely used collaboration platforms, such as Microsoft Teams and Slack, as another growing opportunity for targeting workers.