Microsoft’s Teams client stores users’ authentication tokens in an unprotected text format, potentially allowing attackers to send messages and move laterally through an organization, even with two-factor authentication enabled, according to a cybersecurity firm.
Vectra recommends avoiding Microsoft’s desktop client built with the Electron framework for building apps from browser technologies until Microsoft fixes the flaw. Vectra claims that using the web-based Teams client in a browser like Microsoft Edge is, somewhat paradoxically, safer. The reported issue affects Windows, Mac, and Linux users.
Microsoft, for its part, believes that exploiting Vectra “does not meet our requirements for emergency service” because it requires other vulnerabilities to access the network in the first place. A spokesperson told Dark Reading about it that the company will “consider resolving (the issue) in a future product release.”
Vectra researchers Discovered the vulnerability while helping a customer trying to remove a disabled account from a Teams installation. Microsoft requires users to log in to uninstall, so Vectra looked at the local account configuration information. They set out to remove references to the logged in account. Instead, what they found by searching for the username in the application’s files were clearly signs that provided access to Skype and Outlook. Every token they found was active and could grant access without causing a two-factor problem.
Going further, they developed a proof-of-concept exploit. Their version downloads the SQLite engine to a local directory, uses it to scan Teams’ local storage for an auth token, then sends a high-priority message to the user with its own token text. The potential consequences of this exploit are, of course, greater than just phishing some users with their tokens:
In this case, anyone who installs and uses the Microsoft Teams client retains the credentials needed to perform any action possible through the Teams UI, even when Teams is closed. This allows attackers to modify SharePoint files, Outlook mail and calendars, and Teams chat files. Even more damaging, attackers can intercept legitimate communications within an organization by selectively destroying, extracting, or participating in targeted phishing attacks. There is no limit to the attacker’s ability to move around your company’s environment at this point.
Vectra notes that navigating through a user’s access to Teams presents a particularly rich well for phishing attacks, as malicious actors can pose as CEOs or other executives and seek actions and clicks from lower-level employees. This is a strategy known as Business Email Compromise (BEC); you can read about On Microsoft’s On the Issues blog.
Electronic applications have been found to have deep security problems before. The 2019 presentation showed how browser vulnerabilities can be exploited Enter the code in Skype, Slack, WhatsApp and other Electron applications. WhatsApp has been discovered to have an Electron desktop app Another weakness in 2020provides local file access via JavaScript embedded in messages.
We’ve reached out to Microsoft for comment and will update this post if we hear back.
Vectra recommends that developers keep OAuth tokens secure using tools like KeyTar if they “must use Electron for your application.” Vectra’s security architect Connor Peoples told Dark Reading that he believes Microsoft is moving away from Elektron to Progressive Web Apps, which will provide better OS-level security in cookies and memory.