Microsoft Users Face Security Concerns over Teams and Edge’s Spellchecker

Credit: PhotoMIX-Company

Microsoft has built a favorable reputation in terms of security but sometimes vulnerabilities manage to slip through the cracks. Two reports regarding Microsoft Teams and Microsoft Edge recently conveyed that the applications’ users may be at risk. For Teams, its on-premise desktop version’s means of authentication makes it vulnerable to cyberattacks and data breaches. Meanwhile, Edge and Google Chrome users’ private data are purportedly mined through the browsers’ enhanced spellcheck features.

Electron Supposedly Compromises Teams

Microsoft Teams runs on the Electron framework, which builds apps on a customized browser and simplifies the creation processes. Cybersecurity group Vectra pointed out that Electron only supports safeStorage string encryption and does not support specific browser controls and system-located file protection. In addition, the on-premise desktop iterations of Microsoft Teams— particularly those running on macOS, Windows, and Linux—record authentication tokens in plain text. Hackers can exploit this.

As such, malicious individuals who have local or remote system access can steal the credentials of users in the network and mimic them to loot more data. Since Microsoft apps are integrated with one another, attackers can use the stolen credentials to access applications like Skype and Outlook even if users apply multiple layers of authentication.

Microsoft, however, doesn’t appear too concerned. The company stated that the issue does not meet the “bar for immediate servicing” since attackers have to gain access to a network before doing damage. Microsoft does acknowledge that the vulnerability is a concern that it will consider addressing in the future.

In response, Vectra suggests that users leverage the web-based version of the communication platform until Microsoft fixes the security concern.

Browser Spellchecker Mines Private Data

If the security concern of Microsoft Teams has cyber attackers benefitting from it, the browser spellchecker issue sees Microsoft and Google as the primary beneficiaries. Cybersecurity outfit otto-js found that Microsoft Edge’s MS Editor and Google Chrome’s Enhanced Spellcheck transmit the information entered in form fields to Microsoft and Google, respectively. Moreover, if users click on “Show Password,” the password data is sent to the browser’s developer.

This raises questions about what these big tech companies do with the personal data they gather and if the collected information is simply used to enhance the browsing experience like with cookies. The spell-jacking issue potentially affects large enterprises, especially those in the tech vertical, as third-party servers may have access to confidential information like cloud infrastructure, business plans, supplier lists, qualified leads, existent deals, product information, and financial data.

Activating the browser spellcheckers in question, otto-js examined over 50 websites and divided 30 of these into a control group that contains six categories—online banking, cloud office tools, healthcare, ecommerce, social media, and government. The group found that 96.7% of the control group sites transmitted personal information to Microsoft and Google.

Furthermore, otto-js identified the web services that may pose a huge risk to enterprises in regard to spell-jacking. These include Office 365, Alibaba (Cloud Service), Amazon Web Services (Secrets Manager), Google Cloud (Secret Manager), and LastPass. As of this writing, Amazon and LastPass have already fixed the security concern.

This goes to show that antivirus programs might not be enough to protect large operations. Having a highly competent IT team is a must at a time when cyber attackers and technology itself might be after one’s private information.