Microsoft Teams is storing authentication tokens in cleartext

[harlan4096]

A security vulnerability has been discovered in Microsoft Teams. A report that was published by security firm Vectra, reveals that Microsoft Teams is storing authentication tokens in cleartext.



Microsoft Teams security issue

The vulnerability is present in the desktop versions of Teams for Windows, macOS and Linux. Threat actors who have local (physical) or remote access to a victim's system, can access the credentials of users who are signed in, without requiring administrator privileges. Hackers could bypass 2-factor authentication requirements even if it was enabled in the account, and access other related apps such as Skype and Outlook. This could potentially be exploited to impersonate other users, tamper with data, or to engineer targeted phishing attacks.

How the vulnerability was discovered

Vectra's researchers were working on a way to help a client, who wanted to delete old accounts (inactive users) from Microsoft Teams. The app does not allow this, so they looked for a different way and discovered a couple of files. One of these contained the authentication tokens that were stored by Microsoft Teams, and these credentials were in cleartext (unencrypted format). The other file, which was a browser cookies database, also had these tokens.

The security firm created a proof-of-concept to test whether the loophole could be exploited allow access to user accounts. It used the SQLite engine, to download the data to a local folder and extracted the Skype Access token from it. This was then used to send a test message, proving that the vulnerability allows access to other apps.

Such malicious tactics could be used by hackers to penetrate organizations, pretending to be a CEO or CFO, to convince other users to perform tasks that could damage the company.

Vectra's advisory explains that the Electron framework is to be blamed for the issue, since it does not support standard security protocols such as encryption and system-protected folders out of the box. Ars Technica points out that such security vulnerabilities in Electron apps aren't a new thing, they have been reported in WhatsApp, Skype, Slack over the past couple of years. Vectra says that developers who use Electron must use OAuth in their apps  to store the authentication tokens securely, for example, by using KeyTar.

Microsoft says this is not a serious issue

Microsoft has acknowledged the vulnerability, but a company spokesperson told security blog, Dark Reading, that it has chosen not to patch the bug immediately. This is what it said,
 

"The technique described does not meet our bar for immediate servicing as it requires an attacker to first gain access to a target network

In other words, it says that unless a user's network is already compromised, either locally or via malware (which can be used to trigger remote code execution), this shouldn't really be a threat for most users.

Connor Peoples, a security architect at Vectra Security, said that since Microsoft is moving toward Progressive Web Apps, this would mitigate the issues that are present in Electron. The security firm has suggested users not to use the Microsoft Teams desktop app until the vulnerability has been patched, and instead recommends using Teams via a web browser.
...

Continue Reading