Security Flaw in Microsoft Teams

Earlier, in August 2022, Vectra researchers discovered an attack path that let attackers with file system access to steal credentials for any Microsoft Teams user who is signed in.

Reports say the attackers don’t require permissions to read these files and it impacts all commercial and GCC Desktop Teams clients for Windows, Mac, and Linux. Vectra reported this issue to Microsoft but they said it did not meet their bar for immediate servicing.

Severe Security Flaws in the Desktop App for Microsoft Teams

Microsoft Teams is a proprietary business communication platform developed by Microsoft, as part of the Microsoft 365 family of products. Teams primarily compete with the similar service Slack, offering workspace chat and videoconferencing, file storage, and application integration.

Generally Microsoft Teams App stores authentication tokens in ‘cleartext’ and with these tokens, attackers can guess the token holder’s identity for any actions possible through the Microsoft Teams client.

EHA

Further, the stolen tokens let threat actors to attack against ‘MFA-enabled accounts’, creating an ‘MFA bypass’, says Vectra researchers.

Researchers say one of the root causes for the vulnerability is that the Microsoft Teams is an Electron-based app, where Electron works by creating a web application that runs through a customized browser and makes development easier. 

But for running a web browser needs browser data like cookies, session strings, and logs. Additionally, it does not support standard browser controls like encryption, and system-protected file locations are not supported by Electron.

“Upon review, it was determined that these access tokens were active and not an accidental dump of a previous error. These access tokens gave us access to the Outlook and Skype APIs.” – Vectra

https://marvel-b1-cdn.bc0a.com/f00000000271567/assets-global.website-files.com/5bc662b786ecfc12c8d29e0b/6320af336a0fe833cc804654_undermining_2.png
Authentication token on the Cookies directory (Vectra)

Experts used the SQLite engine, where SQLite does not require installation, so the exploit downloads SQLite to a local folder and executes it to read the Cookies DB, where researchers extract the Skype Access token required for sending messages.

https://marvel-b1-cdn.bc0a.com/f00000000271567/assets-global.website-files.com/5bc662b786ecfc12c8d29e0b/6320afc1c37cf5482ebb0764_undermining_4.png
Token received as text in the attacker’s personal chat (Vectra)

“The desktop application creates opportunities for attackers to use credentials outside  their intended context because, unlike modern browsers, there are no additional security controls  to protect cookie data”, Vectra

Experts also mention that attackers can conduct communications within an organization. Assuming full control of critical seats–like a company’s Head of Engineering, CEO, or CFO—attackers can convince users to perform tasks damaging to the organization.

Recommendation

Researcher recommends using the web-based Teams client inside Microsoft Edge, which has multiple OS-level controls to protect token leaks. Linux users, move to a different collaboration suite, particularly since Microsoft announced plans to stop supporting the app for the platform by December.

Azure Active Directory Security – Download Free E-Book

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.