According to analysts from cybersecurity company Vectra, there’s a massive vulnerability within Microsoft Teams, and countless users could potentially be affected if hackers get their hands on it.
It has a flaw in the program that Make it possible for attackers to steal users’ login credentials.
Unfortunately, Microsoft is not planning to patch this right now.
And so read on to ensure you’re staying safe from this unexpected Microsoft Teams issue.
This flaw, first discovered in August 2022, is pretty severe, but it’s also not too easy to execute.
It applies to desktop versions of the Microsoft Teams software, so not the browser version and affects Windows.
It all comes down to how Teams store user authentication tokens.
In straightforward text, without any extra protection.
That would be disastrous if it didn’t rely on one key factor: An attacker needs to have local access to the system where installed Microsoft Teams.
Assuming that an attacker does have local access to the network, they could steal the authentication tokens and log into the victim’s account.
During its research, Vectra found a file with access to user tokens in clear text.
“Upon review, these access tokens were active and not a random dump of a previous error.
The company’s report said These access tokens gave us access to the Outlook and Skype APIs.
Even more, data had found upon further research, including valid authentication tokens and account information. Vectra also found a way to exploit the app and was able to receive the tickets in its chat window.
A Microsoft spokesperson told Bleeping Computer:
“The technique described does not meet our bar for immediate servicing as it requires an attacker first to gain access to a target network.
We appreciate Vectra Protect’s partnership in identifying and responsibly disclosing this issue. And will consider addressing it in a future product release.”
If you’re worried about the security of your Teams account, the good idea is to switch to the browser version of Teams instead of the desktop client.
Linux users, however, are advised to switch to a different app — especially because Microsoft is planning to stop supporting the Linux version of Teams by the end of this year.