Microsoft’s Teams client stores users’ authentication tokens in an unprotected text format, potentially allowing attackers with local access to send messages and laterally move through an organization even with two-factor authentication enabled, a cybersecurity firm said.
Vectra recommends avoiding Microsoft’s desktop client built with the Electron framework for building apps from browser technologies until Microsoft fixes the flaw. Vectra claims that using the web-based Teams client in a browser like Microsoft Edge is, somewhat paradoxically, safer. The reported issue affects Windows, Mac, and Linux users.
Microsoft, for its part, believes that exploiting Vectra “does not meet our requirements for emergency service” because it requires other vulnerabilities to access the network in the first place. A spokesperson told Dark Reading about it that the company will “consider resolving (the issue) in a future product release.”
Vectra researchers Discovered the vulnerability while helping a customer trying to remove a disabled account from a Teams installation. Microsoft requires users to log in to uninstall, so Vectra looked at the local account configuration information. They set out to remove references to the logged in account. Instead, what they found by searching for the username in the application’s files were clearly signs that provided access to Skype and Outlook. Every token they found was active and could grant access without causing a two-factor problem.
Going further, they developed a proof-of-concept exploit. Their version downloads the SQLite engine to a local folder, uses it to scan Teams’ local storage for an auth token, then sends a high-priority message to the user with its own token text. The potential consequences of this exploit are, of course, greater than just phishing some users with their tokens:
Anyone who installs and uses the Microsoft Teams client in this state retains the credentials needed to perform any action possible through the Teams UI, even when Teams is closed. This allows attackers to modify SharePoint files, Outlook mail and calendars, and Teams chat files. Even more damaging, attackers can intercept legitimate communications within an organization by selectively destroying, extracting, or participating in targeted phishing attacks. There is no limit to the attacker’s ability to move around your company’s environment at this point.
Vectra notes that bypassing a user’s access to Teams provides a particularly rich well for phishing attacks, where malicious actors can pose as the CEO or other executives and seek actions and clicks from lower-level employees. This is a strategy known as Business Email Compromise (BEC); you can read about On Microsoft’s On the Issues blog.
We’ve reached out to Microsoft for comment and will update this post if we hear back.
Vectra recommends that developers, if they “must use Electron for your application,” keep OAuth tokens secure using tools like KeyTar. Vectra’s security architect Connor Peoples told Dark Reading that he thinks Microsoft is moving away from Elektron and moving to Progressive Web Apps, which will provide better OS-level security on cookies and memory.
Leave a Comment