Microsoft Teams stores cleartext auth tokens, won’t be quickly patched

Enlarge / Using Teams in a browser is definitely safer than utilizing Microsoft’s desktop apps, that are wrapped round a browser. It’s rather a lot to work by means of.

Microsoft’s Teams shopper stores customers’ authentication tokens in an unprotected textual content format, probably permitting attackers with native entry to publish messages and transfer laterally by means of a company, even with two-factor authentication enabled, based on a cybersecurity firm.

Vectra recommends avoiding Microsoft’s desktop shopper, constructed with the Electron framework for creating apps from browser applied sciences, till Microsoft has patched the flaw. Using the web-based Teams shopper inside a browser like Microsoft Edge is, considerably paradoxically, safer, Vectra claims. The reported problem impacts Windows, Mac, and Linux customers.

Microsoft, for its half, believes Vectra’s exploit “doesn’t meet our bar for quick servicing” since it will require different vulnerabilities to get contained in the community within the first place. A spokesperson advised Dark Reading that the corporate will “think about addressing (the difficulty) in a future product launch.”

Researchers at Vectra found the vulnerability whereas serving to a buyer attempting to take away a disabled account from their Teams setup. Microsoft requires customers to be logged in to be eliminated, so Vectra seemed into native account configuration knowledge. They got down to take away references to the logged-in account. What they discovered as an alternative, by looking out the person’s identify within the app’s information, have been tokens, within the clear, offering Skype and Outlook entry. Each token they discovered was energetic and will grant entry with out triggering a two-factor problem.

Going additional, they crafted a proof-of-concept exploit. Their model downloads an SQLite engine to an area folder, makes use of it to scan a Teams app’s native storage for an auth token, then sends the person a high-priority message with their very own token textual content. The potential penalties of this exploit are better than phishing some customers with their very own tokens, after all:

Anyone who installs and makes use of the Microsoft Teams shopper on this state is storing the credentials wanted to carry out any motion attainable by means of the Teams UI, even when Teams is shut down. This permits attackers to change SharePoint information, Outlook mail and calendars, and Teams chat information. Even extra damaging, attackers can tamper with professional communications inside a company by selectively destroying, exfiltrating, or partaking in focused phishing assaults. There is not any restrict to an attacker’s capacity to maneuver by means of your organization’s setting at this level.

Vectra notes that shifting by means of a person’s Teams entry presents a very wealthy nicely for phishing assaults, as malicious actors can pose as CEOs or different executives and search actions and clicks from lower-level staff. It’s a method generally known as Business Email Compromise (BEC); you possibly can examine it on Microsoft’s On the Issues weblog.

Electron apps have been discovered to harbor deep safety points earlier than. A 2019 presentation confirmed how browser vulnerabilities might be used to inject code into Skype, Slack, WhatsApp, and different Electron apps. WhatsApp’s desktop Electron app was discovered to have one other vulnerability in 2020, offering native file entry by means of JavaScript embedded into messages.

We’ve reached out to Microsoft for remark and can replace this publish if we obtain a response.

Vectra recommends that builders, in the event that they “should use Electron in your software,” securely retailer OAuth tokens utilizing instruments similar to KeyTar. Connor Peoples, safety architect at Vectra, advised Dark Reading that he believes Microsoft is shifting away from Electron and shifting in the direction of Progressive Web Apps, which would supply higher OS-level safety round cookies and storage.

Leave a Comment