Microsoft Sees No Need to Fix New Teams Vulnerability

Gandalf_The_Grey

Level 78
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,770
Security researchers from Vectra Protect identified a major new vulnerability in Microsoft Teams, but Microsoft says there’s no need for a fix.

“Our research discovered that the Microsoft Teams App stores authentication tokens in cleartext,” Vector Research’s Connor Peoples explains. “With these tokens, attackers can assume the token holder’s identity for any actions possible through the Microsoft Teams client, including using that token for accessing Microsoft Graph API functions from an attacker’s system. Even worse, these stolen tokens allow attackers to conduct actions against [multi-factor authentication] MFA-enabled accounts, creating an MFA bypass.”

The vulnerability exists in the native client of Teams for Windows, Mac, and Linux, which was developed using Electron, and the underlying culprit responsible for this vulnerability: Despite being based on web technologies, Electron doesn’t support standard browser controls like encryption, the firm notes, or system-protected file locations.

Vector Research contacted Microsoft about the vulnerability and was told that it did not require immediate patching.

“The technique described does not meet our bar for immediate servicing as it requires an attacker to first gain access to a target network,” a Microsoft statement explains. “We appreciate Vectra Protect’s partnership in identifying and responsibly disclosing this issue and will consider addressing [it] in a future product release.”

Vector Research suggests that Teams users use the web-based version of Teams exclusively until Microsoft fixes this vulnerability. But that may happen slowly, if at all: Microsoft is allegedly moving the Teams codebase to web-standard Progressive Web App (PWA) technologies that do not share Electron’s security issues.
 

Lightning_Brian

Level 15
Verified
Top Poster
Content Creator
Sep 1, 2017
742
This is awful! I hope a fix gets deployed fast otherwise things could get dicey fast. All the more reason to be wise and not download anything or open anything up that you aren't expecting at all. Good post here @Gandalf_The_Grey. I have known about this for some time now, but bringing awareness is very key to this subject so others are aware.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top