Cybersecurity firm Vectra has uncovered a severe security vulnerability in the desktop apps of Microsoft Teams on Windows, Mac, and Linux.
BleepingComputer reports that Vectra’s security researchers found that the apps store user authentication tokens on-system in plaintext without restricting access to them.
Malicious actors could steal the tokens and use them to log into a target’s account.
“This attack does not require special permissions or advanced malware to get away with major internal damage,” said Vectra’s Connor Peoples.
Peoples said the exploit could be used to take control of critical seats within a company— like a company’s head of engineering, CEO, or CFO — to convince users to perform tasks that could damage the organisation.
The desktop app runs on the widely-used open-source Electron framework, which was previously also found to open up serious remote control vulnerabilities in Teams and Discord apps.
Electron offers no encryption support or protected file locations unless the developer is willing to put in extensive work to customise their app with the capability.
Vectra had analysed Microsoft Teams while attempting to remove deactivated accounts from client apps and stumbled upon an ldb file with the access tokens in plaintext.
“Upon review, it was determined that these access tokens were active and not an accidental dump of a previous error. These access tokens gave us access to the Outlook and Skype APIs,” Peoples explained.
Fortunately, an attacker would require local access to a system to gain access to the tokens.
A Microsoft spokesperson told BleepingComputer that the technique used to exploit the vulnerability did not meet its bar for immediate servicing as it requires an attacker to first gain access to a target network.
“We appreciate Vectra Protect’s partnership in identifying and responsibly disclosing this issue and will consider addressing in a future product release,” the spokesperson said.
Vectra said since a patch was unlikely in the immediate future, it recommended that users switch to the browser-based version of the Teams client as a precautionary measure.