Enlarge / Using Teams in a browser is definitely safer than utilizing Microsoft’s desktop apps, that are wrapped round a browser. It’s loads to work by means of.
Microsoft’s Teams consumer stores customers’ authentication tokens in an unprotected textual content format, probably permitting attackers with native entry to put up messages and transfer laterally by means of a corporation, even with two-factor authentication enabled, in accordance with a cybersecurity firm.
Vectra recommends avoiding Microsoft’s desktop consumer, constructed with the Electron framework for creating apps from browser applied sciences, till Microsoft has patched the flaw. Using the web-based Teams consumer inside a browser like Microsoft Edge is, considerably paradoxically, safer, Vectra claims. The reported situation impacts Windows, Mac, and Linux customers.
Microsoft, for its half, believes Vectra’s exploit “does not meet our bar for immediate servicing” since it will require different vulnerabilities to get contained in the community within the first place. A spokesperson instructed Dark Reading that the corporate will “consider addressing (the issue) in a future product release.”
Researchers at Vectra found the vulnerability whereas serving to a buyer attempting to take away a disabled account from their Teams setup. Microsoft requires customers to be logged in to be eliminated, so Vectra regarded into native account configuration information. They got down to take away references to the logged-in account. What they discovered as an alternative, by looking the person’s identify within the app’s information, have been tokens, within the clear, offering Skype and Outlook entry. Each token they discovered was energetic and will grant entry with out triggering a two-factor problem.
Going additional, they crafted a proof-of-concept exploit. Their model downloads an SQLite engine to an area folder, makes use of it to scan a Teams app’s native storage for an auth token, then sends the person a high-priority message with their very own token textual content. The potential penalties of this exploit are larger than phishing some customers with their very own tokens, in fact:
Anyone who installs and makes use of the Microsoft Teams consumer on this state is storing the credentials wanted to carry out any motion doable by means of the Teams UI, even when Teams is shut down. This allows attackers to change SharePoint information, Outlook mail and calendars, and Teams chat information. Even extra damaging, attackers can tamper with reliable communications inside a corporation by selectively destroying, exfiltrating, or participating in focused phishing assaults. There is not any restrict to an attacker’s skill to maneuver by means of your organization’s setting at this level.
Vectra notes that shifting by means of a person’s Teams entry presents a very wealthy properly for phishing assaults, as malicious actors can pose as CEOs or different executives and search actions and clicks from lower-level staff. It’s a technique often known as Business Email Compromise (BEC); you’ll be able to examine it on Microsoft’s On the Issues weblog.
We’ve reached out to Microsoft for remark and can replace this put up if we obtain a response.
Vectra recommends that builders, in the event that they “must use Electron for your application,” securely retailer OAuth tokens utilizing instruments akin to KeyTar. Connor Peoples, safety architect at Vectra, instructed Dark Reading that he believes Microsoft is shifting away from Electron and shifting towards Progressive Web Apps, which would supply higher OS-level safety round cookies and storage.