Microsoft Teams users can be at risk of identity theft, phishing attacks, and other attacks due to the fact that their authentication tokens are stored in plain text. The vulnerability affects both the desktop and mobile versions of the popular messaging and collaboration platform. Microsoft has acknowledged the issue, but it has not yet made any plans to address it. Hackers with access to a victim’s local or remote system can use this flaw to steal credentials and impersonate users online and offline. In addition to this, they can bypass the multifactor authentication process that protects against these attacks.
The vulnerability was discovered by Vectra researchers in August. They were able to gain local access to a workstation where they could browse through Teams data. The researchers were looking for a way to remove Teams data for deactivated accounts when they discovered the flaw. Unfortunately, there’s no way to disable an account or delete it completely without logging in again.
The desktop version of Microsoft Teams contains a critical vulnerability that could allow attackers to steal user authentication tokens and access accounts with multi-factor authentication. The flaw affects Windows, Linux, and Mac computers. The vulnerability is due to the fact that the desktop version of Teams uses an Electron application that doesn’t support encryption or protected file storage. This makes the application unsuitable for mission-critical applications.
The researchers also discovered a vulnerability in Microsoft Teams’ Idb file, where access tokens were stored in clear text. The researchers obtained authentication tokens through an API call and read the Cookies database using a SQLite engine. The vulnerability could also be exploited by information-stealing malware, one of the most common payloads in phishing campaigns. Bypassing MFA, attackers can access the chat data of users and steal the information contained in the chats.
As a result of this vulnerability, attackers can gain access to any service as the online user. This includes access to the CEO’s email client. It’s also possible for attackers to steal access tokens, which would allow them to control critical seats. An attacker with access to the CEO’s computer could also open the CEO’s email client and browse the cache of Teams messages.
While Microsoft has acknowledged the vulnerability, they have not yet released a patch. In the meantime, users should consider switching to another collaboration suite if they use the Linux version of Microsoft Teams. The company has also announced plans to discontinue support for Teams for Linux by the end of this year.
The researchers at Vectra used a file containing users’ authentication tokens in clear text and found out that they were valid. The researchers also found that a user can send messages to himself via an exploit using SQLite to read a user’s cookie database. The researchers recommend that people use the browser version of Microsoft Teams in order to avoid the risks.