Microsoft Teams would store your connection information in plain text on your hard drive… Microsoft is now aware, but does not seem in a hurry to correct the situation.
A flaw has just been discovered in the giant Microsoft’s instant messaging and videoconferencing application. Teams would store the login credentials of its users in clear, allowing any malicious person to access shared files and conversations, but also data from other Microsoft applications such as Outlook or Sharepoint.
A flaw in authentication tokens
Discovered last August by Vectra, a leader in the world of cybersecurity and artificial intelligence, a vulnerability involving authentication tokens could harm companies and individuals using the Teams desktop application on Windows, Mac and Linux.
Simply put, these tokens containing your username and password would be stored in plain text on users’ hard drives. This is very problematic because any intruder on the victim’s network could use these tokens to authenticate with any Microsoft service and thus impersonate them. It would then be possible to send emails via Outlook or access chat via Teams, or steal documents located in a Sharepoint for example.
The source of this flaw would come from Electron, the software component used for the development of Teams. By its ease of use and installation, Microsoft surely wanted to save time by using this framework, neglecting in passing the security of its application. Because even though Electron is used by a lot of software today, it does not support data encryption and file protection.
Not an immediate threat according to Microsoft
Contacted directly by Vectra, Microsoft does not consider this flaw to be an immediate risk and will not deploy a patch dedicated to this problem. We can still expect corrective actions to be taken and deployed via the next Teams update, but no date has been communicated.
While waiting for the update, Vectra strongly recommends users to use the web version of Teams which does not have this flaw. It is also recommended that companies secure access to the Teams application and monitor any suspicious actions on the software’s local files and folders.
To download
- Call quality, audio and video
- Messaging functions
- Fairly generous free version
Microsoft Teams is the ideal collaborative work and video software for users and companies already immersed in the Microsoft and Office ecosystem. Its meeting and video functions are qualitative, but those refractory to the MS environment will not switch to Teams.
Microsoft Teams is the ideal collaborative work and video software for users and companies already immersed in the Microsoft and Office ecosystem. Its meeting and video functions are qualitative, but those refractory to the MS environment will not switch to Teams.
Source : Vectra
19