Microsoft Teams has been storing authentication tokens in plaintext

Microsoft Teams stores authentication tokens in unencrypted plaintext mode, allowing attackers to potentially control communications within an organization, according to the security firm Vectra. The flaw affects the desktop app for Windows, Mac and Linux built using Microsoft’s Electron framework. Microsoft is aware of the issue but said it has no plans for a fix anytime soon, since an exploit would also require network access.

 

Microsoft Teams authentication storage

 

According to Vectra, a hacker with local or remote system access could steal the credentials for any Teams user currently online, then impersonate them even when they’re offline. They could also pretend to be the user through apps associated with Teams, like Skype or Outlook, while bypassing the multifactor authentication (MFA) usually required.

 

“This enables attackers to modify SharePoint files, Outlook mail and calendars, and Teams chat files,” Vectra security architect Connor Peoples wrote. “Even more damaging, attackers can tamper with legitimate communications within an organization by selectively destroying, exfiltrating, or engaging in targeted phishing attacks.” Attackers can tamper with legitimate communications within an organization by selectively destroying, exfiltrating, or engaging in targeted phishing attacks.

 

Vectra created a proof-of-concept exploit that allowed them to send a message to the account of the credential holder via an access token. “Assuming full control of critical seats–like a company’s Head of Engineering, CEO, or CFO — attackers can convince users to perform tasks damaging to the organization.”

 

The problem is mainly limited to the desktop app, because the Electron framework (that essentially creates a web app port) has “no additional security controls to protect cookie data,” unlike modern web browsers. As such, Vectra recommends not using the desktop app until a patch is created, and using the web application instead.

 

When informed by cybersecurity news site Dark Reading of the vulnerability, Microsoft said it “does not meet our bar for immediate servicing as it requires an attacker to first gain access to a target network,” adding that it would consider addressing it in a future product release.

 

However, threat hunter John Bambenek told Dark Reading it could provide a secondary means for “lateral movement” in the event of a network breach. He also noted that Microsoft is moving toward Progressive Web Apps that “would mitigate many of the concerns currently brought by Electron.”

 

For more updates on storage industry, Click here.

Finnish company develops sand-based heat storage for batteries

Polar Night Energy and Vatajankoski, an energy utility company in Western Finland, have made a storage solution for renewable energy. The specialty of the storage is that it uses sand instead of lithium-ion or other battery technologies. The storage system has the capacity of storing electricity as heat in the sand. The company on their website said, “Polar Night Energy’s first commercial sand-based high-temperature heat storage is now in operation at Vatajankoski power plant area. The heat storage, which has a hundred tons of sand inside, is producing low emission district heating to the city of Kankaanpää in Western Finland. BBC made a story about Polar Night Energy’s heat storage solution.”

 

Other organizations working on sand-based heat storage

 

Other companies are working on the sand-based heat storage project to use sand as energy storage but as mentioned above the Finnish company is the first fully working commercial installation of a battery made from sand. NERL, a Research Laboratory of the United States that claims that they focus on creative answers to today’s energy challenges on their website said “National Renewable Energy Laboratory (NREL) are in the late stages of prototype testing a game-changing new thermal energy storage technology that uses inexpensive silica sand as a storage medium. Economic Long-Duration Electricity Storage by Using Low-Cost Thermal Energy Storage and High-Efficiency Power Cycle (ENDURING) is a reliable, cost-effective, and scalable solution that can be sited anywhere.”

 

According to an article by Engadget, “Similar to traditional storage systems for renewables, Polar’s technology stores energy from wind turbines and solar panels that isn’t used at once. To be precise, it stores energy as heat, which is then used for the district heating network that Vatajankoski services. Sand is inexpensive and is very effective at storing heat at about 500 to 600 degrees Celsius. Polar says its technology can keep sand “hotter than the stoves in typical saunas” for months until it’s time to use that heat during Finland’s long winters.”