A group of researchers has discovered a major security hole in Themes, which would allow private user data to be obtained
A security breach present in Microsoft Teams would have allowed attackers access private user data and obtain sensitive information, including login credentials.
This has been confirmed by cybersecurity experts from Vectraresponsible for discovering the gap after analyzing the Microsoft Teams desktop app available on Windows, MacOS and Linux.
On all three platforms, the Microsoft Teams app, based on Electron technology, has been found to be the app stores access tokens in plain text formatwhich would allow an attacker get said token to access the accounts of the victims and thus steal sensitive information.
Microsoft is aware of the problem, but has not yet fixed it
In recent years, Electron has been a technology criticized by some users and developers, because despite offering a set of tools that greatly facilitates the development and distribution of multiplatform applications, in some of its versions it lacks advanced protection systems such as encryption or the restriction of access to protected files.
According to the researchers, since the desktop version of Microsoft Teams, based on Electron, stores access tokens in plain textan attacker, either remotely or locally, could get the credentials of any user who is onlineand even access those applications associated with Teams.
Furthermore, it is particularly worrying that the attack does not require special permissionswhich could translate into a very serious problem for those companies that use Microsoft Teams as a corporate communication tool:
This is what really scares us about this attack. This attack does not require special permissions or advanced malware to get away with causing extensive internal damage. With enough machines compromised, attackers can orchestrate communications within an organization. By assuming full control of critical positions – such as the Chief Engineer, CEO or CFO of a company – attackers can convince users to perform tasks that are detrimental to the organization.
Today, Microsoft has already been notified about the gap, but according to Vectrathe company does not consider this fault a serious threatso he decided to close the case.
For that reason, experts suggest stop using the desktop version of Microsoft Teams and switch to using the web version of the service, at least until an update is released that fixes the vulnerability,