Vulnerability in Teams: Microsoft token stored in plain text

0
7
vulnerability in teams microsoft token stored in plain text.jpg
vulnerability in teams microsoft token stored in plain text.jpg

The Windows, Linux, and macOS versions of Teams store tokens in plain text that attackers can use to hijack users’ Microsoft services.

 

Microsoft Teams stores the plaintext access tokens that users use in Teams to sign in to Microsoft services. Attackers with access to the PC’s file system can steal the file and gain access to Microsoft services such as Skype and Outlook without knowing the user’s password; a two-factor protection is also skipped in this way. That’s what researchers at Californian cybersecurity company Vectra found out.

 

The Windows, Linux and macOS versions of Teams are affected, all three of which use the Electron framework. An Electron application is a kind of web app with a browser attached – and it stores unencrypted tokens stored in cookies, for example.

According to Vectra, Microsoft wants to fix the error, but only with a later patch: Urgency is not required because attackers would need a PC that was already compromised to get the tokens.

Until then, Teams users should only use the web version of Teams, especially on PCs that are used by several people – modern browsers are protected against such token takeovers. The iOS and Android versions are also not vulnerable in this way. For Linux, Vectra generally recommends switching to the web version, since Microsoft wants to convert the Linux client to a pure PWA by the end of the year. Windows and macOS users can switch back to the desktop version after the patch, at least on machines where they or admins have control over the installed version.

 

SEE ALSO  I have changed this WhatsApp setting and now I can read messages without my contacts knowing