Microsoft Teams stores cleartext auth tokens, won’t be quickly patched

Microsoft’s Teams client stores users’ authentication tokens in an unprotected text format, potentially allowing attackers with local access to post messages and move laterally through an organization, even with two-factor authentication enabled, according to a cybersecurity company.

Vectra recommends avoiding Microsoft’s desktop client, built with the Electron framework for creating apps from browser technologies, until Microsoft has patched the flaw. Using the web-based Teams client inside a browser like Microsoft Edge is, somewhat paradoxically, more secure, Vectra claims. The reported issue affects Windows, Mac, and Linux users.

Microsoft, for its part, believes Vectra’s exploit “does not meet our bar for immediate servicing” since it would require other vulnerabilities to get inside the network in the first place. A spokesperson told Dark Reading that the company will “consider addressing (the issue) in a future product release.”

Researchers at Vectra discovered the vulnerability while helping a customer trying to remove a disabled account from their Teams setup. Microsoft requires users to be logged in to be removed, so Vectra looked into local account configuration data. They set out to remove references to the logged-in account. What they found instead, by searching the user’s name in the app’s files, were tokens, in the clear, providing Skype and Outlook access. Each token they found was active and could grant access without triggering a two-factor challenge.

Going further, they crafted a proof-of-concept exploit. Their version downloads an SQLite engine to a local folder, uses it to scan a Teams app’s local storage for an auth token, then sends the user a high-priority message with their own token text. The potential consequences of this exploit are greater than phishing some users with their own tokens, of course:

Anyone who installs and uses the Microsoft Teams client in this state is storing the credentials needed to perform any action possible through the Teams UI, even when Teams is shut down. This enables attackers to modify SharePoint files, Outlook mail and calendars, and Teams chat files. Even more damaging, attackers can tamper with legitimate communications within an organization by selectively destroying, exfiltrating, or engaging in targeted phishing attacks. There is no limit to an attacker’s ability to move through your company’s environment at this point.

Vectra notes that moving through a user’s Teams access presents a particularly rich well for phishing attacks, as malicious actors can pose as CEOs or other executives and seek actions and clicks from lower-level employees. It’s a strategy known as Business Email Compromise (BEC); you can read about it on Microsoft’s On the Issues blog.

Electron apps have been found to harbor deep security issues before. A 2019 presentation showed how browser vulnerabilities could be used to inject code into Skype, Slack, WhatsApp, and other Electron apps. WhatsApp’s desktop Electron app was found to have another vulnerability in 2020, providing local file access through JavaScript embedded into messages.

We’ve reached out to Microsoft for comment and will update this post if we receive a response.

Vectra recommends that developers, if they “must use Electron for your application,” securely store OAuth tokens using tools such as KeyTar. Connor Peoples, security architect at Vectra, told Dark Reading that he believes Microsoft is moving away from Electron and shifting toward Progressive Web Apps, which would provide better OS-level security around cookies and storage.