A security vulnerability has been found in Microsoft Teams. A report published by security firm Vectra, reveals that Microsoft Teams stores authentication tokens in clear text.
Microsoft Teams security issues
The vulnerability exists in the desktop versions of Teams for Windows, macOS, and Linux. Threat actors who have local (physical) or remote access to the victim’s system, can access the credentials of logged in users, without requiring administrator privileges. Hackers can bypass the requirement of 2-factor authentication even if it is enabled in the account, and access other related applications such as Skype and Outlook. These could potentially be exploited to impersonate other users, corrupt data, or engineer targeted phishing attacks.
Image source: Unsplash
How vulnerabilities are discovered
Vectra researchers are working on a way to help clients, who want to remove old accounts (inactive users) from Microsoft Teams. The app didn’t allow this, so they looked for another way and found some files. One of them contains the authentication token stored by Microsoft Teams, and these credentials are in clear text (unencrypted format). Another file, which is the browser cookie database, also has this token.
The security company created a proof of concept to test whether an exploitable vulnerability allowed access to user accounts. It uses the SQLite engine, to download the data to a local folder and extract the Skype Access token from it. This is then used to send test messages, proving that the vulnerability allows access to other applications.
Such malicious tactics can be used by hackers to penetrate organizations, pretending to be the CEO or CFO, to convince other users to perform tasks that could damage the company.
Vectra advisors explain that the Electron framework is to blame for this problem, as it doesn’t support standard security protocols like encryption and system protected folders out of the box. Ars Technica points out that such security vulnerabilities in the Electron app are not new, they have been reported on WhatsApp, Skype, Slack over the past few years. Vectra says that developers using Electron should use OAuth in their applications to securely store authentication tokens, for example, by using KeyTar.
Microsoft says it’s not a serious problem
Microsoft has acknowledged the vulnerability, but a company spokesperson told the security blog, Dark Reading, that they have chosen not to patch the bug immediately. This is what is said,
“The described technique does not meet our standards for immediate service as it requires an attacker to first gain access to the target network
In other words, it says that unless the user’s network has been compromised, either locally or via malware (which can be used to trigger remote code execution), this shouldn’t pose a threat to most users.
Connor Peoples, a security architect at Vectra Security, said that since Microsoft is moving towards Progressive Web Apps, this will reduce Electron’s problems. The security company has advised users not to use the Microsoft Teams desktop app until the vulnerability has been patched, and has instead recommended using Teams via a web browser.
Summary
Article Name
Microsoft Teams stores authentication tokens in clear text
Information
Microsoft Teams stores authentication tokens in clear text. The Redmond company said the vulnerability was not a serious threat.
Author
Aswin
Publisher
Ghacks Technology News
Logo
Advertisement
