Microsoft Teams stores the plain text access tokens that users use in Teams to sign in to Microsoft services. Attackers with access to the PC’s file system can steal the file and gain access to Microsoft services like Skype and Outlook without knowing the user’s password; a two-factor protection is also bypassed in this way. The California researchers discovered by cybersecurity firm Vectra.
Windows, Linux, and macOS versions of Teams are affected, all three use the Electron framework. An Electron app is kind of a web app with a browser attached, and it stores unencrypted tokens stored in cookies, for example.
Patch later, fix now
According to Vectra, Microsoft wants to fix the bug, but only with a later patch – no urgency is required because the attackers would need a PC that was already compromised to get the tokens.
Until then, Teams users should only use the web version of Teams, especially on PCs used by multiple people — modern browsers are protected against such token takeovers. The iOS and Android versions are also not vulnerable in this way. For Linux, Vectra generally recommends switching to the web version, as Microsoft wants to turn the Linux client into a pure PWA by the end of the year. Windows and macOS users can revert to the desktop version after the patch, at least on machines where they or administrators have control over the installed version.
Just a few days ago, a vulnerability was discovered in Teams that attackers could use to cheat businesses out of phone rates.
(jou)