Microsoft Teams stores cleartext auth tokens, won’t be quickly patched

Enlarge / Using Teams in a browser is definitely safer than utilizing Microsoft’s desktop apps, that are wrapped round a browser. It’s loads to work by means of.

Microsoft’s Teams consumer stores customers’ authentication tokens in an unprotected textual content format, probably permitting attackers with native entry to put up messages and transfer laterally by means of a corporation, even with two-factor authentication enabled, in accordance with a cybersecurity firm.

Vectra recommends avoiding Microsoft’s desktop consumer, constructed with the Electron framework for creating apps from browser applied sciences, till Microsoft has patched the flaw. Using the web-based Teams consumer inside a browser like Microsoft Edge is, considerably paradoxically, safer, Vectra claims. The reported situation impacts Windows, Mac, and Linux customers.

Microsoft, for its half, believes Vectra’s exploit “does not meet our bar for immediate servicing” since it will require different vulnerabilities to get contained in the community within the first place. A spokesperson instructed Dark Reading that the corporate will “consider addressing (the issue) in a future product release.”

Researchers at Vectra found the vulnerability whereas serving to a buyer attempting to take away a disabled account from their Teams setup. Microsoft requires customers to be logged in to be eliminated, so Vectra regarded into native account configuration information. They got down to take away references to the logged-in account. What they discovered as an alternative, by looking the person’s identify within the app’s information, have been tokens, within the clear, offering Skype and Outlook entry. Each token they discovered was energetic and will grant entry with out triggering a two-factor problem.

Going additional, they crafted a proof-of-concept exploit. Their model downloads an SQLite engine to an area folder, makes use of it to scan a Teams app’s native storage for an auth token, then sends the person a high-priority message with their very own token textual content. The potential penalties of this exploit are larger than phishing some customers with their very own tokens, in fact:


Anyone who installs and makes use of the Microsoft Teams consumer on this state is storing the credentials wanted to carry out any motion doable by means of the Teams UI, even when Teams is shut down. This allows attackers to change SharePoint information, Outlook mail and calendars, and Teams chat information. Even extra damaging, attackers can tamper with reliable communications inside a corporation by selectively destroying, exfiltrating, or participating in focused phishing assaults. There is not any restrict to an attacker’s skill to maneuver by means of your organization’s setting at this level.

Vectra notes that shifting by means of a person’s Teams entry presents a very wealthy properly for phishing assaults, as malicious actors can pose as CEOs or different executives and search actions and clicks from lower-level staff. It’s a technique often known as Business Email Compromise (BEC); you’ll be able to examine it on Microsoft’s On the Issues weblog.

Electron apps have been discovered to harbor deep safety points earlier than. A 2019 presentation confirmed how browser vulnerabilities may be used to inject code into Skype, Slack, WhatsApp, and different Electron apps. WhatsApp’s desktop Electron app was discovered to have one other vulnerability in 2020, offering native file entry by means of JavaScript embedded into messages.

We’ve reached out to Microsoft for remark and can replace this put up if we obtain a response.

Vectra recommends that builders, in the event that they “must use Electron for your application,” securely retailer OAuth tokens utilizing instruments akin to KeyTar. Connor Peoples, safety architect at Vectra, instructed Dark Reading that he believes Microsoft is shifting away from Electron and shifting towards Progressive Web Apps, which would supply higher OS-level safety round cookies and storage.


Please enter your comment!
Please enter your name here

Popular Posts

Biden administration awards $1.5 billion to fight opioid crisis

US President Joe Biden speaks in regards to the DISCLOSE Act on the Roosevelt Room of the White House in Washington, DC on September...

Turn its debt into a new cryptocurrency

Since bankrupt crypto lender Celsius froze withdrawals in June, clients' funds have been in limbo. Now, leaked audio shared with CNBC reveals a preliminary...

Top 10 cities with the best pizzerias worldwide

Whether you want the skinny type of a New York pie or choose the chunkier Detroit-style possibility, you are more likely to have a...

Analysts discuss U.S. interest charges, greenback, Asian Financial Crisis

The world financial system could also be dealing with situations seen in the course of the 1997 Asian Financial Crisis — aggressive U.S. interest...

Did 79 Die in a Bridge Collapse While Watching a Clown’s Stunt?

On May 2, 1845, 79 individuals died after the Yarmouth suspension bridge collapsed in Great Yarmouth, England, as they watched a circus stunt involving...