Microsoft’s Teams client stores users’ authentication codes in an unprotected text format, which could allow attackers with local access to spread messages and move horizontally across the organization, even with two-factor authentication enabled, according to the cybersecurity firm.
Vectra recommends avoiding Microsoft’s desktop client, which is built with the Electron framework for creating applications from browser technologies, until Microsoft fixes the bug. Using the web-based Teams client within a browser like Microsoft Edge is, to some extent, more secure, Vectra claims. The reported issue affects Windows, Mac, and Linux users.
For its part, Microsoft believes that the Vectra exploit “does not meet our criteria for online services” because it would require other vulnerabilities to get inside the network in the first place. A spokesperson for Dark Reading . said that the company “will consider addressing (the issue) in a future product release.”
Researchers at Vectra Discover the vulnerability while helping a customer trying to remove a disabled account from their Teams setup. Microsoft requires users to sign in to be removed, so Vectra looked at the local account’s configuration data. They proceeded to remove references to the logged-in account. What they found instead, by searching the username in the app’s files, were icons, which are obvious, providing access to Skype and Outlook. Each token found was active and could grant access without challenging two factors.
Going forward, they crafted a proof-of-concept exploit. Their version downloads the SQLite engine to a local folder, uses it to scan the Teams local storage for the auth token, and then sends the user a high priority message with their token text. The potential consequences of this exploit are greater than phishing some users with their private codes, of course:
Anyone who installs and uses the Microsoft Teams client in this case stores the credentials needed to perform any action possible through the Teams user interface, even when Teams is turned off. This allows attackers to modify SharePoint files, Outlook mail, calendars, and Teams chat files. Even more damaging, attackers can tamper with legitimate communications within an organization by selectively destroying, smuggling, or engaging in targeted phishing attacks. There is no limit to an attacker’s ability to navigate through your corporate environment at this point.
Vectra notes that navigating through user access to Teams is a particularly rich benefit for phishing attacks, where malicious actors can pose as CEOs or other CEOs and seek actions and clicks from lower-level employees. It is a strategy known as Business Email Compromise (BEC); You can read about it On the Microsoft blog On the Issues.
Electron applications have been discovered to have deep security issues before. 2019 presentation showed how browser vulnerabilities can be used Code injection into Skype, Slack, WhatsApp and other Electron apps. The Electron desktop WhatsApp application has been found Another loophole in 2020which provides access to local files through JavaScript embedded in messages.
We’ve reached out to Microsoft for comment and will update this post if we receive a response.
Vectra recommends that developers, if they “must use Electron for your app,” store OAuth tokens securely using tools like KeyTar. Connor Peoples, a security engineer at Vectra, told Dark Reading that he believes Microsoft is moving away from Electron and moving toward progressive web applications, which will provide better OS-level security around cookies and storage.
