By CNBCTV18.com

Mini The major security flaw can potentially allow hackers to gain access to users’ accounts and change passwords.

Cybersecurity research firm Vectra has found a major flaw in Microsoft's workplace-oriented messaging app, Microsoft Teams. The security loophole might impact several users if hackers manage to exploit it and potentially gain access to users’ accounts and change their passwords.

This vulnerability wasn't identified until August of 2022, and it is very serious yet difficult to exploit. Users of the desktop versions of Microsoft Teams on Windows, Linux, and Mac are particularly at risk.

What is the security flaw?

The California-based cybersecurity research firm, Vectra uncovered the potentially serious flaw in the desktop version of the service wherein authentication tokens are stored in plain text, making them vulnerable to a third-party attack.

As per Vectra, these credentials could theoretically be stolen by an attacker who has local or remote system access to the network, Android Police reported. Vectra elaborates that a hacker with requisite access could steal data from an online user and then mimic them when they're offline or use the identity to get access to apps like Outlook or Skype after bypassing the multifactor authentication (MFA) requirements.

Microsoft was informed about the vulnerability, but the company has given a lukewarm response and doesn't seem to be in a hurry to fix it.

How to be safe?

Vectra recommends users to avoid the Microsoft Teams desktop app until a fix is available and use the Teams web app which has additional safeguards in place.

Since Microsoft has announced that it would no longer support the Linux version of Teams by the end of this year, users are strongly recommended to choose an alternative program.

Despite receiving the information on the loophole, Microsoft does not see the security flaw as a major risk to warrant a high-priority repair. Microsoft informed Bleeping Computer that the approach disclosed does not satisfy the company’s criterion for quick servicing. It needs an attacker to first acquire access to a target network to warrant an immediate response.

“We appreciate Vectra Protect's assistance in discovering and revealing this vulnerability, and we may look into fixing it in a future version of the product,” a Microsoft spokesperson wrote to the Bleeping Computer.