September 16, 2022

Security researchers from Vectra have uncovered a vulnerability in the desktop app for Microsoft Teams that could give threat actors access to authentication tokens and accounts with multi factor authentication.

Microsoft Teams is an Electron app that implies that it runs in a browser window, complete with all the elements required for a regular website.

However, Electron does not support encryption or protected file storage by default. Therefore, it is not secure for the development of mission-critical products unless extensive customization and additional work is carried out.

In their analysis of Microsoft Teams, the researchers found an Idb file with access tokens in clear text. They also discovered that the “Cookies” folder contained valid authentication tokens, along with account information, session data, and marketing tags.

Threat actors can use info-stealing malware to steal Microsoft Teams authentication tokens and remotely log in as a user, bypass MFA and gain full access to the account.

To mitigate the bug, Vectra asked users to switch to the browser version of Microsoft Teams client since using Microsoft Edge to load the app can provide users with additional protection against token leaks.

Linux’s users are advised to switch to another collaboration suite, especially since Microsoft has announced that it will discontinue support for the app on the platform by December. Those who cannot switch to another solution immediately are advised to create a monitoring rule to discover processes accessing selected directories.

The sources for this piece include an article in BleepingComputer.