The Microsoft Teams client stores user authentication tokens in an unsecured text format, potentially allowing attackers with local access to post messages and move around the organization even with two-factor authentication enabled, according to the cybersecurity company.
Vectra recommends avoiding Microsoft’s desktop client built using the Electron platform for building applications using browser technologies until Microsoft fixes the flaw. Using the Teams web client inside a browser like Microsoft Edge is, paradoxically, more secure, Vectra claims. The reported issue affects Windows, Mac, and Linux users.
Microsoft, for its part, believes that the Vectra exploit “does not meet our bar for immediate service,”as other vulnerabilities would be required to infiltrate the network in the first place. A spokesperson told Dark Reading that the company would “look into resolving (the issue) in a future product release.”
Vectra researchers discovered the vulnerability while helping a customer who was trying to remove a disabled account from their Teams setup. Microsoft requires users to be signed in to uninstall, so Vectra looked into the local account configuration data. They intended to remove links to the logged in account. Instead, when they looked up the username in the application files, they found tokens that grant access to Skype and Outlook. Each token found was active and could grant access without triggering two-factor verification.
Going further, they created an experimental exploit. Their version downloads the SQLite engine to a local folder, uses it to scan the Teams app’s local storage for an authentication token, and then sends a high-priority message to the user with the token’s own text. The potential consequences of this exploit are of course more than phishing some users with their own tokens:
Anyone who installs and uses the Microsoft Teams client in this state retains the credentials required to perform any action possible through the Teams user interface, even when Teams is closed. This allows attackers to modify SharePoint files, Outlook mail and calendars, and Teams chat files. Even more dangerous is that attackers can interfere with legitimate communications within an organization by selectively destroying, exfiltrating, or engaging in targeted phishing attacks. At the moment, an attacker’s ability to move around in your company’s environment is not limited.
Vectra notes that navigating through user access to Teams is a particularly rich source for phishing attacks, as attackers can pose as CEOs or other executives and solicit actions and clicks from lower-level employees. This is a strategy known as business email compromise (BEC); you can read about it on the Microsoft blog On the Issues.
Electron applications were previously found to contain serious security issues. A 2019 presentation showed how browser vulnerabilities can be exploited to inject code into Skype, Slack, WhatsApp, and other Electron apps. In 2020, another vulnerability was discovered in the WhatsApp Electron desktop application, allowing local access to files through JavaScript embedded in messages.
We’ve reached out to Microsoft for comment and will update this post if we get a response.
Vectra recommends that developers, if they “need to use Electron for their application”, securely store OAuth tokens using tools such as KeyTar. Connor Peoples, security architect at Vectra, told Dark Reading that he believes Microsoft is moving away from Electron and moving towards Progressive Web Apps, which will provide better OS-level security regarding cookies and storage.