Sunday, February 5, 2023
Home TOP Microsoft Teams stores authentication tokens in clear text.

Microsoft Teams stores authentication tokens in clear text.

A security vulnerability has been found in Microsoft Teams. A report published by security firm Vectra, reveals that Microsoft Teams stores authentication tokens in clear text.


Microsoft Teams security issues

The vulnerability exists in the desktop versions of Teams for Windows, macOS, and Linux. Threat actors who have local (physical) or remote access to the victim’s system, can access the credentials of logged in users, without requiring administrator privileges. Hackers can bypass the requirement of 2-factor authentication even if it is enabled in the account, and access other related applications such as Skype and Outlook. These could potentially be exploited to impersonate other users, corrupt data, or engineer targeted phishing attacks.

Image source: Unsplash

How vulnerabilities are discovered

Vectra researchers are working on a way to help clients, who want to remove old accounts (inactive users) from Microsoft Teams. The app didn’t allow this, so they looked for another way and found some files. One of them contains the authentication token stored by Microsoft Teams, and these credentials are in clear text (unencrypted format). Another file, which is the browser cookie database, also has this token.

The security company created a proof of concept to test whether an exploitable vulnerability allowed access to user accounts. It uses the SQLite engine, to download the data to a local folder and extract the Skype Access token from it. This is then used to send test messages, proving that the vulnerability allows access to other applications.
Such malicious tactics can be used by hackers to penetrate organizations, pretending to be the CEO or CFO, to convince other users to perform tasks that could damage the company.

Vectra advisors explain that the Electron framework is to blame for this problem, as it doesn’t support standard security protocols like encryption and system protected folders out of the box. Ars Technica points out that such security vulnerabilities in the Electron app are not new, they have been reported on WhatsApp, Skype, Slack over the past few years. Vectra says that developers using Electron should use OAuth in their applications to securely store authentication tokens, for example, by using KeyTar.

Microsoft says it’s not a serious problem

Microsoft has acknowledged the vulnerability, but a company spokesperson told the security blog, Dark Reading, that they have chosen not to patch the bug immediately. This is what is said,

“The described technique does not meet our standards for immediate service as it requires an attacker to first gain access to the target network

In other words, it says that unless the user’s network has been compromised, either locally or via malware (which can be used to trigger remote code execution), this shouldn’t pose a threat to most users.

Connor Peoples, a security architect at Vectra Security, said that since Microsoft is moving towards Progressive Web Apps, this will reduce Electron’s problems. The security company has advised users not to use the Microsoft Teams desktop app until the vulnerability has been patched, and has instead recommended using Teams via a web browser.

Summary

Microsoft Teams stores authentication tokens in clear text

Article Name

Microsoft Teams stores authentication tokens in clear text

Information

Microsoft Teams stores authentication tokens in clear text. The Redmond company said the vulnerability was not a serious threat.

Author

Aswin

Publisher

Ghacks Technology News

Logo

Advertisement

RELATED ARTICLES

Real Madrid vs Girona Football Prediction 30 October 2022 Accurate

Real Madrid Vs Girona Football Prediction October 30, 2022 Accurate And Accurate Tonight with us Vegas99bet as an accurate and reliable football prediction website,...

Anwar said if you are a close friend of Arafat, why don’t you retract the pro-Israel statement

Bersatu Anwar Ibrahim again urged to clarify his position on Israel, saying that the PKK chief’s recent claim to be “Malaysia’s number one fighter...

Download Idle High School Tycoon Mod Apk Unlimited Money

Please download the game Idle High School Tycoon Apk Mod the latest version 2022 is here, because the mod version that we share has...

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Advantages of business trip massage

xn--hz2b17kttdbub47a07t.com is practice of massage therapy is an alternative therapy that is quickly gaining popularity. In recent years, the...

Best Sports Toto

Totowiki is formed by a fixed refund rate method and a fixed dividend rate method. The method of fixed refund rate is called 'Toto',...

Uses of Digital Pressure Regulator

In a short time, these regulators have become very popular. They provide flexibility, robustness and have the capability to handle high pressure electronically. Before...

part-time job night part-time job

Chipmakers are beginning to target job cuts and other adjustments, including reducing factory hours to cope with the economic downturn, chief executive...

Recent Comments