![]() ![]() Going further, they crafted a proof-of-concept exploit. ![]() Each token they found was active and could grant access without triggering a two-factor challenge. What they found instead, by searching the user's name in the app's files, were tokens, in the clear, providing Skype and Outlook access. They set out to remove references to the logged-in account. Microsoft requires users to be logged in to be removed, so Vectra looked into local account configuration data. Researchers at Vectra discovered the vulnerability while helping a customer trying to remove a disabled account from their Teams setup. A spokesperson told Dark Reading that the company will "consider addressing (the issue) in a future product release." Microsoft, for its part, believes Vectra's exploit "does not meet our bar for immediate servicing" since it would require other vulnerabilities to get inside the network in the first place. The reported issue affects Windows, Mac, and Linux users. Using the web-based Teams client inside a browser like Microsoft Edge is, somewhat paradoxically, more secure, Vectra claims. Vectra recommends avoiding Microsoft's desktop client, built with the Electron framework for creating apps from browser technologies, until Microsoft has patched the flaw. Microsoft's Teams client stores users' authentication tokens in an unprotected text format, potentially allowing attackers with local access to post messages and move laterally through an organization, even with two-factor authentication enabled, according to a cybersecurity company. ![]()
0 Comments
Leave a Reply. |