The Inner Circle

 View Only

Microsoft Teams deemed unsafe to use by security researchers

  • 1.  Microsoft Teams deemed unsafe to use by security researchers

    Posted Sep 18, 2022 09:30:00 AM

    Microsoft's workplace-oriented messaging app, Teams, has gone through a number of controversies that you wouldn't expect other chat apps to deal with, including last year when the Android app was considered responsible for breaking the ability to place 911 calls on devices last year. Well, the Teams app - not the Android one this time, at least - is in the news again and it's not for the right reasons.

    <msn-article-image>
    Microsoft Teams deemed unsafe to use by security researchers© Provided by Android Police.
    </msn-article-image>
    <views-native-ad config-instance-src="config_index_views_intraarticle_article_page-BB1dLKBM" instance-id="" props-token="49">
    <msft-article-card size="_1x_2y"><slot><msft-article-card card-fill-color="#2E2E2E" size="_1x_2y"><slot><msft-article target="_blank" id="native_ad_inarticle-1" href="https://aka.ms-ads.co/api-172wlR2kSLo2rjwIVTk1ztkmI9bCpkjIJBY5Z3GaSmlSR3?AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAApCi876wQ1Tqk5dHQYnfbDSM9zGhXGK34kB8XZifeMubRsCXKSESBXU6yoijjejf457rETLU7BAK3ijVwzL2MtwuSQfd9YvVdlMJv" title="Transfer Your Debt and Pay 0% Interest Until 2024" image-priority="" class="native-ad" data-t="{"n":"NativeAd","t":13}" role="article" image-position="end" immersive-card="">
    <slot name="start-action"><msft-attribution slot="start-action"><slot><msn-native-ad-provider-name url="https://aka.ms-ads.co/api-172wlR2kSLo2rjwIVTk1ztkmI9bCpkjIJBY5Z3GaSmlSR3?AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAApCi876wQ1Tqk5dHQYnfbDSM9zGhXGK34kB8XZifeMubRsCXKSESBXU6yoijjejf457rETLU7BAK3ijVwzL2MtwuSQfd9YvVdlMJv" provider-name="CompareCards" white-provider-name="false" keep-opacity="false" ad-slug-ga="" font-family="inherit" tel-metadata="{"n":"sponcon","b":1,"c.t":8,"ext":null}" ad-label-text-opacity="0.7" font-size="" line-height="" color="var(--neutral-foreground-rest)" font-weight="normal"></msn-native-ad-provider-name></slot></msft-attribution></slot><slot name="end-action">
    <msn-native-ad-disclaimer component-name="undefined" popup-margin="35" url="https://aka.ms-ads.co/api-172wlR2kSLo2rjwIVTk1ztkmI9bCpkjIJBY5Z3GaSmlSR3?AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAApCi876wQ1Tqk5dHQYnfbDSM9zGhXGK34kB8XZifeMubRsCXKSESBXU6yoijjejf457rETLU7BAK3ijVwzL2MtwuSQfd9YvVdlMJv" tel-metadata="{"n":"sponcon","b":1,"c.t":8,"ext":null}" disclaimer="" disclaimer-tooltip="Disclaimer"></msn-native-ad-disclaimer>
    </slot>
    <slot name="image">
    </slot>
    <slot name="content-indicator"></slot>
    </msft-article></slot></msft-article-card></slot></msft-article-card>
    </views-native-ad>

    California-based cybersecurity research firm Vectra has uncovered a potentially serious flaw in the desktop version of the service wherein authentication tokens are stored in plain text, making them vulnerable to a third-party attack.

    The issue affects the Teams app based on the company's Electron framework, which runs on Windows, macOS, and Linux machines. Vectra says an attacker could theoretically steal these credentials with local or remote system access. Microsoft is aware of this vulnerability, although the company isn't in a hurry to fix it.

    Vectra elaborates that a hacker with the requisite access could steal data from an online Teams user and potentially mimic them when they're offline. This identity could then be used across apps like Outlook or Skype by circumventing the multifactor authentication (MFA) requirements. Vectra recommends users to stay away from the Microsoft Teams desktop app until a fix is available or, alternatively, use the Teams web app, which has additional safeguards in place.

    <fluent-design-system-provider fill-color="#FFFFFF"><slot><social-tip-promotion-in-article config-instance-src="default" instance-id="socialTipPromotionInArticle-AA11XW8m" props-token="13" publisherprofileid="vid-wkfd0hryv6kak7bhf60sp8vwtp7ejqsh437bevpeb9r7ujvkufhs" contentid="AA11XW8m" roottelemetryobject="[object Object]">
    </social-tip-promotion-in-article></slot></fluent-design-system-provider>

    "Even more damaging, attackers can tamper with legitimate communications within an organization by selectively destroying, exfiltrating, or engaging in targeted phishing attacks," Connor Peoples, security architect at Vectra, said. He notes that this particular vulnerability only exists on the desktop version of Teams due to a lack of "additional security controls to protect cookie data."

    To get its point across to Microsoft, Vectra even developed a proof-of-concept detailing the exploit, enabling the researchers to send a message to the account of the individual whose access token was compromised.

    While the Electron platform makes it easy to build apps for desktops, it doesn't include crucial security measures like encryption. Security researchers have constantly criticized this framework, although Microsoft doesn't consider it a serious issue yet.

    Cybersecurity news site Dark Reading (via Engadget) approached the company for a comment on the Teams vulnerability and received a fairly lukewarm response, saying this security loophole "does not meet our bar for immediate servicing as it requires an attacker to first gain access to a target network." However, the company didn't rule out the possibility of a fix being rolled out in the future.

    That said, if you're serious about your security, maybe it's best to leave the platform alone entirely for a while.



    ------------------------------
    Vipul Patel
    Lead It Consultant
    Pace Center for Girls
    St. Augustine, FL
    ------------------------------