Microsoft Teams stores auth tokens in clear text, won't be fixed soon

Microsoft Teams stores auth tokens in clear text, won’t be fixed soon

Enlarge / Using Teams in a browser is actually safer than using Microsoft’s desktop apps, which are built into a browser. It’s a lot to work on.

Microsoft’s Teams client stores user authentication tokens in an unprotected text format, potentially allowing attackers with local access to post messages and move laterally through an organization, even with two-way authentication factors enabled, according to a cybersecurity company.

Vectra recommends avoiding Microsoft’s desktop client, built with the Electron framework for building apps from browser technologies, until Microsoft fixes the flaw. Using the web-based Teams client in a browser like Microsoft Edge is, somewhat ironically, more secure, Vectra claims. The reported issue affects Windows, Mac, and Linux users.

Microsoft, for its part, believes that the Vectra exploit “does not hit our bar of immediate service” because it would require other vulnerabilities to get inside the network in the first place. A spokesperson told Dark Reading that the company “will consider addressing (the issue) in a future product release.”

Vectra researchers discovered the vulnerability while assisting a customer trying to remove a disabled account from their Teams configuration. Microsoft requires users to be logged in to be deleted, so Vectra reviewed the local account configuration data. They undertook to remove references to the connected account. What they found instead, by searching the application files for the user’s name, were tokens, in the clear, providing access to Skype and Outlook. Each token found was active and could grant access without triggering a two-factor challenge.

Going further, they designed a proof-of-concept exploit. Their version downloads a SQLite engine to a local folder, uses it to scan a Teams app’s local storage for an authentication token, then sends the user a priority message with their own token text. . The potential consequences of this exploit are bigger than phishing some users with their own tokens, of course:

Anyone who installs and uses the Microsoft Teams client in this state stores the credentials needed to perform any possible action through the Teams UI, even when Teams is stopped. This allows attackers to modify SharePoint files, Outlook email and calendars, and Teams chat files. Even more damaging, attackers can alter legitimate communications within an organization by selectively tearing down, exfiltrating, or engaging in targeted phishing attacks. There is no limit to an attacker’s ability to move through your business environment at this point.

Vectra notes that moving through a user’s Teams access presents a particularly rich well for phishing attacks, as malicious actors can impersonate CEOs or other executives and seek out actions and clicks. lower level employees. This is a strategy known as Business Email Compromise (BEC); you can read about it on the Microsoft On the Issues blog.

Electron apps have already been found to harbor deep security issues. A 2019 presentation showed how browser vulnerabilities could be used to inject code into Skype, Slack, WhatsApp and other Electron apps. WhatsApp’s desktop Electron app was found to have another vulnerability in 2020, providing local file access via JavaScript embedded in messages.

We have contacted Microsoft for comment and will update this post if we receive a response.

Vectra recommends that developers, if they “must use Electron for your application”, securely store OAuth tokens using tools such as KeyTar. Connor Peoples, security architect at Vectra, told Dark Reading that he thinks Microsoft is moving away from Electron and towards progressive web apps, which would provide better OS-level security around cookies and storage.

#Microsoft #Teams #stores #auth #tokens #clear #text #wont #fixed

Leave a Comment

Your email address will not be published.