Severe Security Flaw in Microsoft Teams Desktop App Let Attackers Access Authentication Tokens

Earlier, in August 2022, Vectra researchers came at some point soon of an attack direction that let attackers with file machine obtain admission to to rob credentials for any Microsoft Teams one that is signed in.

Studies advise the attackers don’t require permissions to learn these recordsdata and it impacts all commercial and GCC Desktop Teams purchasers for Residence windows, Mac, and Linux. Vectra reported this topic to Microsoft but they acknowledged it didn’t meet their bar for rapid servicing.

Severe Security Flaws within the Desktop App for Microsoft Teams

Microsoft Teams is a proprietary enterprise communication platform developed by Microsoft, as a part of the Microsoft 365 family of products. Teams basically compete with the comparable service Slack, offering workspace chat and videoconferencing, file storage, and application integration.

Most ceaselessly Microsoft Teams App stores authentication tokens in ‘cleartext’ and with these tokens, attackers can wager the token holder’s identity for any actions that you could perhaps well well factor in thru the Microsoft Teams client.

Further, the stolen tokens let threat actors to attack towards ‘MFA-enabled accounts’, growing an ‘MFA bypass’, says Vectra researchers.

Researchers advise judicious one of many foundation causes for the vulnerability is that the Microsoft Teams is an Electron-based mostly entirely mostly app, where Electron works by growing an online application that runs thru a personalized browser and makes construction more straightforward.

But for working an online browser wants browser recordsdata care for cookies, session strings, and logs. Moreover, it would not beef up fashioned browser controls care for encryption, and machine-earn file areas are no longer supported by Electron.

“Upon analysis, it modified into optimistic that these obtain admission to tokens had been stuffed with life and no longer an unintentional dump of a earlier error. These obtain admission to tokens gave us obtain admission to to the Outlook and Skype APIs.” – Vectra

Consultants worn the SQLite engine, where SQLite would not require set up, so the exploit downloads SQLite to a native folder and executes it to learn the Cookies DB, where researchers extract the Skype Salvage entry to token required for sending messages.

“The desktop application creates opportunities for attackers to make exercise of credentials exterior  their intended context because, not like unusual browsers, there are no additional security controls  to protect cookie recordsdata”, Vectra

Consultants also point out that attackers can behavior communications within an organization. Assuming elephantine control of mighty seats–care for a firm’s Head of Engineering, CEO, or CFO—attackers can convince customers to assemble initiatives negative to the organization.

Advice

Researcher recommends the usage of the obtain-based mostly entirely mostly Teams client internal Microsoft Edge, which has multiple OS-level controls to protect token leaks. Linux customers, switch to a undeniable collaboration suite, particularly since Microsoft announced plans to stay supporting the app for the platform by December.

Azure Active Directory Security – Download Free E-E-book