Microsoft Teams stores authentication tokens in plaintext

About 270 million people use Teams around the world

Image:
About 270 million people use Teams around the world

But the vulnerability does not satisfy Microsoft's standards for a quick fix

Microsoft's workplace-oriented messaging app, Teams, saves authentication tokens in an unencrypted plaintext format - potentially allowing attackers to control conversations and move laterally inside a network.

Security firm Vectra Protect claims the weakness affects the desktop app for Windows, Mac, and Linux, which was developed using the Microsoft Electron framework.

Even though Electron is built on web technologies, it does not support standard browser features such as encryption or system-protected file locations.

Vectra researchers identified the issue last month and reported it to Microsoft. However, the company said it has no immediate plans to fix the flaw because it does not match the requirements for patching, and because any exploit would need local network access.

Over 270 million people use Microsoft Teams to exchange text messages, host video conferences and store files.

In an effort to identify a means to delete inactive accounts from client apps, Vectra examined Microsoft Teams and discovered an ldb file containing access tokens in plain text.

The researchers also found the Cookies folder contained valid authentication tokens, account information, session data, marketing tags and more.

Vectra developed a proof-of-concept exploit using an API call they could use to send a message a credential holder's account through an access token.

The researchers used the SQLite engine to read the Cookies database and received the authentication tokens as a message in their chat window.

Connor Peoples of Vectra said attackers could use the tokens to leverage the token holder's identity for any Teams client-enabled activity, including accessing Microsoft Graph API services on their own workstation.

Attackers could also carry out operations against accounts that are configured with multi-factor authentication, thus bypassing MFA.

'Assuming full control of critical seats - like a company's Head of Engineering, CEO, or CFO - attackers can convince users to perform tasks damaging to the organisation,' Vectra Protect warned.

"The technique described does not meet our bar for immediate servicing as it requires an attacker to first gain access to a target network." a spokesperson for Microsoft told Dark Reading.

The spokesperson added that the company would consider addressing the flaw in a future product release.

"We appreciate Vectra Protect's partnership in identifying and responsibly disclosing this issue and will consider addressing [it] in a future product release."

Vectra advises users to refrain from using the Microsoft Teams desktop app until a patch is made available. As an alternative, users may utilise the Teams web app, which has extra security measures.

According to threat hunter John Bambenek, Microsoft is working toward Progressive Web App (PWA) technologies, which, he said, would mitigate many of the problems currently brought by Electron.