A vulnerability has been discovered in Microsoft Teams desktop clients for Windows, macOS and Linux built with the Microsoft Electron framework that could allow a potential attacker to take control of corporate communications. Applications store authorization tokens in plain text, company cybersecurity experts found Vectra.
According to Vectra, a hacker with local or remote access to the system can steal the credentials of any online Teams user and then spoof them, even if they go offline. Exploitation of this vulnerability could also impersonate a user in Teams-related services, including Skype or Outlook. A potential attacker is given the opportunity to impersonate someone else, intervene in corporate communications, and conduct phishing attacks. Vectra experts demonstrated the exploit by sending a message on behalf of one of the Teams users.
The problem only affects the desktop version of the application, since unlike modern browsers, the Electron platform does not have strong cookie protection mechanisms. This means that using the web client is safer – it’s recommended to only use it until the bug is fixed. The situation is complicated by the fact that in response to a message about the discovery of a vulnerability in Microsoft explainedWhat is the patch release priority? “does not meet the bar for immediate service”, because a potential attacker needs at least access to the company network to exploit them. However, the update will still be released, although it is not specified when exactly.