Users of Microsoft Teams are being warned of a potentially serious loophole in the app’s security. The flaw was discovered in the desktop version of the app which facilitates business communication. AndroidPolice.com reports that although Microsoft has been notified of the potential security threat, the company does not consider it a priority.
Discover our latest podcast
Potentially serious flaw
Vectra, the California-based cybersecurity firm which uncovered the vulnerability said the authentication tokens of users are stored in plain sight, making them highly susceptible to being stolen by attackers. The team at Vectra found the flaw on Microsoft’s Electron framework which runs on Windows, macOS and Linux machines, according to Android Police. The cybersecurity experts explained that any attacker with a local or remote system access could easily steal these credentials.
What this means is that if you are one of the 270 million users of the Teams desktop app, a hacker could steal your login credentials and pretend to be you even when you are offline. Security architect at Vectra, Connor Peoples said:
Even more damaging, attackers can tamper with legitimate communications within an organization by selectively destroying, exfiltrating, or engaging in targeted phishing attacks.
He added that this flaw is only present on the desktop app due to the absence of ‘additional security controls to protect cookie data’.
Not a priority
Once stolen, your user identity can be used across apps like Outlook or Skype with a possibility of getting past the multifactor authentication requirements. Microsoft is aware of the issue although it does not consider it a major threat.
In fact, when approached by cybersecurity news site Dark Reading for a comment on the Teams vulnerability, the company said:
[It] does not meet our bar for immediate servicing as it requires an attacker to first gain access to a target network.
Experts recommend using the Teams web app instead of the desktop app if necessary, until a fix is found.
Read more:
⋙ UK supermarkets start security tagging dairy products: You butter believe it
⋙ Gmail attack: Hackers breach foolproof security settings to read your emails
⋙ Google Chrome: The internet giant urgently warns users about a major security flaw
