Microsoft Teams for Windows, MacOS and Linux stores authentication tokens insecurely in unprotected cleartext and no fix for it yet available, according to researchers from cybersecurity firm Vectra
The researchers have raised a warning about this Microsoft Teams vulnerability that stores authentication tokens in an unprotected form making it easy for threat actors to abuse it.
Microsoft has said it is not an “immediate” issue that authentication tokens are stored in cleartext. They will be taking action in their own time, which could mean months of waiting.
Vectra researchers discovered an attack that enables malicious actors to steal credentials without elevated privileges in Microsoft Teams.
There is no encryption support for Electron, the framework Team’s app is built on.
According to Vectra, Microsoft Teams App stores authentication tokens in cleartext, and an attacker could use these tokens to assume the person’s identity for all actions possible through the Microsoft Teams client. Worse, after obtaining a token, an attacker can create an MFA bypass, which grants access to MFA-enabled accounts.
Microsoft decided it would take time to fix the app, so customers should use the web-based version for now.
What should you do if you are using MicrosoftTeams?
Researchers from Vectra have strictly asked users to stop using the Teams app. They have further advised users to avoid the full Microsoft Teams client (Use the web-based Teams client inside Microsoft Edge, which has multiple OS-level controls to protect token leaks) until they have fixed this issue. Luckily, the web application is capable of most features of the desktop client and shouldn’t cause as much disruption for your organizational productivity.
After the Microsoft Updates are complete, it’s important to use a high-restriction model for preventing unauthorized Teams Apps, bots, connectors etc.
Linux users should stop using Microsoft Teams as they announced the end of life will be December 2022. Linux users should stop using Microsoft Teams because they announced that they will be ending the service by December 2022.
Latest WhatsApp Update – Users Can Send New Type of Text Like Never Before
Eye for an eye – Javier Bardem Iris NFT To Be Auctioned For Sight-Saving Charity
New Intel Processor will make you Forget Celeron and Pentium Processors