Skip to main content

This Microsoft Teams exploit could leave your account vulnerable

According to analysts from cybersecurity company Vectra, there’s a massive vulnerability within Microsoft Teams, and countless users could potentially be affected if hackers gets their hands on it.

The program has a flaw that makes it possible for attackers to steal the login credentials of users and log into their accounts. Unfortunately, Microsoft is not planning to patch this right now, so read on to make sure you’re staying safe from this unexpected Microsoft Teams issue.

A video call in Microsoft Teams is displayed on a laptop.
Image used with permission by copyright holder

This flaw, first discovered in August 2022, is pretty severe, but it’s also not too easy to execute. It applies to desktop versions of the Microsoft Teams software (so not the browser version) and affects users on Windows, Linux, and Mac.

It all comes down to the way Teams stores user authentication tokens — in clear text, without any extra protection. That would be disastrous if it didn’t rely on one key factor: An attacker needs to have local access to the system where Microsoft Teams is installed.

Assuming that an attacker does have local access to the network, they could steal the authentication tokens and log into the victim’s account.

Connor Peoples, a researcher from Vectra, said that the threat lies deeper than just one account being compromised; it allows the attacker to hijack accounts that could potentially disrupt the operations of a whole organization.

“[Taking] control of critical seats — like a company’s Head of Engineering, CEO, or CFO — attackers can convince users to perform tasks damaging to the organization,” said Peoples in the report.

How does this all work? Bleeping Computer explained it in greater detail, but the short story is that Microsoft Teams is an Electron app and comes with all the elements required by any regular webpage, such as cookies and session strings. Electron doesn’t support file encryption or establishing protected locations, which is why the user credentials are not being protected as they should be.

During its research, Vectra found a file with access to user tokens in clear text. “Upon review, it was determined that these access tokens were active and not an accidental dump of a previous error. These access tokens gave us access to the Outlook and Skype APIs,” the company’s report said.

Even more data was found upon further research, including valid authentication tokens and account information. Vectra also found a way to exploit the app and was able to receive the tokens in its own chat window.

Man uses Microsoft Teams on a laptop in order to video chat.
Image used with permission by copyright holder

It’s concerning that this vulnerability is currently out there, but Microsoft doesn’t consider it a large enough threat to work on patching it as a priority. A Microsoft spokesperson told Bleeping Computer: “The technique described does not meet our bar for immediate servicing as it requires an attacker to first gain access to a target network. We appreciate Vectra Protect’s partnership in identifying and responsibly disclosing this issue and will consider addressing it in a future product release.”

In the meantime, if you’re worried about the security of your Teams account, a good idea is to switch to the browser version of Teams instead of the desktop client. Linux users, however, are advised to simply switch to a different app — especially because Microsoft is planning to stop supporting the Linux version of Teams by the end of this year.

Editors' Recommendations

Monica J. White
Monica is a UK-based freelance writer and self-proclaimed geek. A firm believer in the "PC building is just like expensive…
Copilot’s most exciting Office features will cost $20 a month
Microsoft Copilot creating a PowerPoint presentation for a user.

Microsoft is expanding its AI integration again, enabling anyone to subscribe to a new service called Copilot Pro, which will be used in Word, Excel, PowerPoint, Outlook, and OneNote. That means you can do things like generate full slideshows in Powerpoint with just a few words typed into the chatbot.

Having generative AI built right into Office apps was an exciting idea when it was announced last year, but so far, it's only available for enterprise accounts as part of Copilot in Microsoft 365. Now, that option is available for all Microsoft 365 and Office customers, but it won't be free.

Read more
How to remove a Microsoft account from Windows 11
Windows 11 updates are moving to once a year.

While many people love porting their Microsoft account to their new Windows 11 PC, just as many hate the experience. One of the nicest things about having a new computer is how little tabs it has over you, and letting Microsoft in from the beginning — especially in a way that feels required — is a bit letdown for privacy-minded people.

To make matters worse, getting rid of your account feels tricky. It not only feels like it, Microsoft is your direct antagonist in getting the privacy you want. Luckily, you can make a local account that is disconnected from the rest of your life to gain back the personal feel of your computer. Here's how:
Removing a Microsoft account from Windows 11

Read more
I tried Microsoft Office on my Quest 3 and came away disappointed
Most features, like adjusting a document's layout in Word, work fine on a Quest 3.

For documents, spreadsheets, and presentations, Office is the go-to suite of apps many rely on. Trying to work on a small laptop screen can be restrictive, so Microsoft teamed up with Meta to bring owners of the excellent new Quest 3 a potential solution to work in VR.

I previously attempted to get real work done using my Quest Pro for a week and, more recently, with the faster Quest 3 as a laptop replacement. In each case, there were problems that were best solved by wirelessly connecting my VR headset to a computer, making it more of a monitor replacement.

Read more