Microsoft Teams security flaw lets hackers steal accounts - and theres no fix in sight
Date:
Thu, 15 Sep 2022 18:27:28 +0000
Description:
Experts say it's easy to steal authentication tokens and log into Microsoft Teams accounts protected by MFA.
FULL STORY ======================================================================
There is a security flaw in Microsoft Teams that allows threat actors to log into other peoples accounts, even if those accounts are protected with multi-factor authentication, researchers have claimed.
Cybersecurity analysts from Vectra say the Teams desktop application for Windows, Linux, and Mac, stores user authentication tokens in cleartext, without any locks guarding the access. Anyone with local access to a system with Teams installed can steal these tokens and use them to log into the accounts.
"This attack does not require special permissions or advanced malware to get away with major internal damage," Vectras Connor Peoples said - Microsoft, on the other hand, says the whole deal is blown out of proportion and it is not interested in addressing the issue at this time. Active tokens
The problem lies in the fact that Microsoft Teams is an Electron app, running in a browser windows. As Electron does not come with support for encryption, or protected file locations by default, it is somewhat easier to use, but
also risky on the data protection side of things. Deeper analysis uncovered that the tokens were not stored in error, or as part of a previous data dump.
"Upon review, it was determined that these access tokens were active and not an accidental dump of a previous error. These access tokens gave us access to the Outlook and Skype APIs, Vectra explained. Whats more, the cookies folder also held tokens, account information, session data, and other valuable information.
But Microsoft played the whole thing down, saying it isnt that severe and
that it doesnt meet the criteria for patching.
In a statement sent to BleepingComputer , Microsoft said The technique described does not meet our bar for immediate servicing as it requires an attacker to first gain access to a target network. We appreciate Vectra Protects partnership in identifying and responsibly disclosing this issue and will consider addressing in a future product release. Read more
This brutal hacking tool could steal virtually all of your logins
Best authenticator apps today: add an extra layer of online security
These are the best VoIP headsets right now
Vectra, on the other hand, disagrees, and to prove its point, it developed an exploit that abuses an API call, allowing a user to send messages to themselves. By reading the cookies database through SQLite engine, the
exploit was able to receive the authentication tokens in a message.
If youre worried about your business having its tokens snatched, you should switch to the browser version of the Teams client, Vectra suggests. Linux users should migrate to a different collaboration platform, as well. These
are the best VoIP solutions right now
Via: BleepingComputer
======================================================================
Link to news story:
https://www.techradar.com/news/microsoft-teams-security-flaw-lets-hackers-stea l-accounts-and-theres-no-fix-in-sight/
--- Mystic BBS v1.12 A47 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)