Microsoft Teams stores authentication tokens as plain text in Windows, Linux, Macs

Sicherheit (Pexels, allgemeine Nutzung)[German]The desktop app for Microsoft Teams stores authentication tokens as plain text on the Linux, macOS, and Windows platforms. This allows attackers to access accounts using these tokens even if multi-factor authentication (MFA) has been enabled. Customers should rely on Teams web applications or monitor access to MS Teams data through processes, as Microsoft will not close this vulnerability immediately.


Advertising

Microsoft Teams

Microsoft Teams is a communication and colloboration platform developed by Microsoft that combines chat, meetings, notes and attachments. The Teams service is integrated into the Microsoft 365 suite with Microsoft Office and Skype/Skype for Business. Teams is sold by Microsoft as "the best thing since sliced bread was invented." But when I hear Microsoft Teams, I think immediately about IT security as well as data protection (see links at the end of the post).

Security nightmare Electron framework

Microsoft Teams is a service that can be used on clients with an app "clicked together." This app uses the Electron framework, which for me is the security nightmare come true. I just remind you of my blog post Microsoft Teams and it's security from 2020, where I explicitly pointed out the Electron framework and an ancient Chrome browser version it contains as a risk. Anyone who uses this framework is dealing with a black box. 

An investigation initiated by a user case

Security researchers began taking a closer look at Microsoft Teams because a Vectra Protect customer complained about how Microsoft Teams manages disabled identities. End users can't remove disabled accounts through the user interface because the Teams application requires the account to be logged in to remove it from the client.

Well, that's kind of understandable, that users can't delete a deactivated account because, after all, it's no longer possible to log in. But the Vectra folks wanted to solve this problem and looked at the local configuration data within the Teams client and figured out how it worked.

The Electron framework mortgages

During their investigation, they came across the Electron framework, which is used to build the Microsoft Teams app. Electron lets you create a web application that runs through a custom browser. This is very convenient and makes development quick and easy. Microsoft relies on Electron to deliver the app on multiple platforms.


Advertising

This is understandable, but developers who don't fully understand how Electron works may create apps that are too transparent. That's because running a Web browser in the context of an app requires the use of traditional browser data such as cookies, session strings and logs. And this is where the hooks lie, that thing can become a security nightmare.

Because the Electron framework hides the complexity of application creation, developers are unlikely to be aware of the impact of their design decisions. Electron does not support standard browser features such as encryption. System-protected file locations are not supported by Electron by default and must be managed and secured by the developer. Security experts have therefore long lamented the use of the Electron framework as a security risk.

Authentication tokens in plain text

When the Vectra Protect team investigated the customer issue in August 2022, they came across a possible attack path in Microsoft Teams. This allowed malicious actors with access to the file system to steal the credentials (authentication tokens) for any logged-in Microsoft Teams user. This is because this data resides in the user profile.

Further investigation revealed that the Microsoft Teams app stores authentication tokens in plain text. With these tokens, attackers can assume the identity of the token holder for all actions possible through the Microsoft Teams client. This includes using this token to access Microsoft Graph API functions from the attacker's systems.

Even worse, these stolen tokens allow attackers to perform actions against accounts that are secured via multi-factor authentication (MFA). This allows MFA security to be bypassed. The vulnerability affects all commercial and GCC Desktop Teams clients for Windows, Mac and Linux. The details can be read in this article if you are interested.

Microsoft closes the case

The Vectra people reported this discovery to Microsoft as a security vulnerability and hoped for its quick elimination. Out came that Microsoft is aware of this problem. The Microsoft security team has closed the reported case, stating that this report does not meet the requirements for immediate processing. Say: There will be eventually, possibly an update to Microsoft Teams apps that closes this vulnerability. That's kind of obvious, since developers will have to knit token management around the Electron framework themselves.

Until Microsoft updates the Teams desktop app, customers should use only the Web-based Teams app, Vectra recommended. For customers who must use the installed desktop application, access to key application files should be monitored by processes other than the official Teams application to detect misuse ahead of time. (via).

Similar articles:
Microsoft Teams and it's security
Microsoft Teams targeted by hackers – a classification
Microsoft Teams Bugs: Blocks Emergency calls, unpatched phishing vulnerability since March 2021
Windows 11: Microsoft breaks start menu/taskbar with teams promo
Zoom & Teams not GDPR compliant useable
Toleration of MS Teams in Hessian schools ends on July 31, 2021
Data protection officer stopps use of Microsoft Teams in schools of German state Hesse
Fix for Microsoft Teams Performance Issues
Teams storage location for compliance records changed, bricks scripts
MS-Teams on Windows Server: Keep an eye on your RAM
Microsoft blocks Tutanota users in Teams
Citrix Fix for broken MS Teams call in VDA
Microsoft Teams: Vulnerability allowed account takeover


Advertising

This entry was posted in Security, Software and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).