Researchers at Vectra have identified an attack path that enables malicious actors with file system access to steal credentials for any Microsoft Teams user who is signed in. Attackers do not require elevated permissions to read these files, which exposes this concern to any attack that provides malicious actors with local or remote system access. Additionally, this vulnerability was determined to impact all commercial and GCC Desktop Teams clients for Windows, Mac, and Linux. Microsoft Teams is an Electron-based app. Electron works by creating a web application that runs through a customised browser. This is very convenient and makes development quick and easy. However, running a web browser within the context of an application requires traditional browser data like cookies, session strings, and logs. This is where issues around this vulnerability lie.
Like every application framework, Electron has its own idiosyncrasies related to authentication, secure file storage, communications, and so on. Development teams use frameworks for the same reason they use lots of other open source—it makes their jobs easier and faster. And that’s great. On the other hand, even security-aware teams might not understand what’s really going on in the depths of the framework they’re using. In this case, it appears that Electron might be saving some sensitive data in an insecure way. Note that Electron is no stranger to security issues. Last month saw another bug in Electron that could cause issues in apps from Microsoft, Discord, BaseCamp, and others. There was also a bug last year. As more people investigate Electron, there will almost certainly be more issues uncovered.