According to a cybersecurity company, Microsoft’s Teams stores client users’ authentication tokens in an insecure text format, potentially allowing attackers to post messages and transfer them later through an organization, even With two-factor authentication enabled.
Vectra recommends avoiding Microsoft’s desktop client, which is built with the Electron framework, for building apps from browser technologies, until Microsoft has fixed the flaw. Using the Web-based Teams client inside a browser such as Microsoft Edge is, somewhat paradoxically, more secure, Vectra claims. The reported issue affects Windows, Mac, and Linux users.
Microsoft, for its part, believes that Vectra’s exploit “doesn’t meet our bar for immediate servicing” because it would require other vulnerabilities to get inside the network in the first place. A spokesperson told Dark Reading that the company will “consider addressing (the issue) in a future product release.”
Researchers at Vectra Discovered the vulnerability while assisting a customer trying to remove a disabled account from their team setup. Removing Microsoft required users to log in, so Vectra looked at local account configuration data. They set out to remove the reference to the logged-in account. Instead, what they found by searching the user’s name in the app’s files were tokens that, apparently, provided Skype and Outlook access. They found that each token was active and could provide access without triggering a two-factor challenge.
Going forward, he devised a proof-of-concept exploit. Their version downloads a SQLite engine to a local folder, uses it to scan a team app’s local storage for a token, then sends a high priority message to the user with their token text. The potential consequences of this exploit are more than just phishing some users with their own tokens, of course:
Anyone who installs and uses the Microsoft Teams client in this situation is storing the credentials needed to take any possible action through the Teams UI, even when Teams is turned off. It enables attackers to modify SharePoint files, Outlook mail and calendar and team chat files. Even more damaging, attackers can tamper with legitimate communications within an organization, selectively destroy, carry out, or engage in targeted phishing attacks. There is no limit to an attacker’s ability to advance through your company’s environment at this point.
Vectra notes that proceeding through a user’s team access presents a particularly rich well for phishing attacks, as malicious actors can pose as CEOs or other executives and receive actions and clicks from lower-level employees. can ask for. This is a strategy known as a business email agreement (BEC); you can read about On the blog on Microsoft issues,
We’ve reached out to Microsoft for comment and will update this post if we get a response.
Vectra recommends that developers, if they “must use Electron for your application,” store OAuth tokens securely using tools such as KeyTar. Vectra’s security architect Conor Peoples told Dark Reading that he believes Microsoft is moving away from Electron and toward progressive Web apps, which will offer better OS-level security around cookies and storage. .