Microsoft Teams stores cleartext auth tokens, won’t be quickly patched


Using Teams in a browser is actually safer than using Microsoft's desktop apps, which are wrapped around a browser. It's a lot to work through.
Enlarge / Using Teams in a browser is actually safer than using Microsoft’s desktop apps, which are wrapped around a browser. It’s a lot to work through.

reader comments
93 with 55 posters participating

Microsoft’s Teams client stores users’ authentication tokens in an unprotected text format, potentially allowing attackers with local access to post messages and move laterally through an organization, even with two-factor authentication enabled, according to a cybersecurity company.

Vectra recommends avoiding Microsoft’s desktop client, built with the Electron framework for creating apps from browser technologies, until Microsoft has patched the flaw. Using the web-based Teams client inside a browser like Microsoft Edge is, somewhat paradoxically, more secure, Vectra claims. The reported issue affects Windows, Mac, and Linux users.

Microsoft, for its part, believes Vectra’s exploit “does not meet our bar for immediate servicing” since it would require other vulnerabilities to get inside the network in the first place. A spokesperson told Dark Reading that the company will “consider addressing (the issue) in a future product release.”

Researchers at Vectra discovered the vulnerability while helping a customer trying to remove a disabled account from their Teams setup. Microsoft requires users to be logged in to be removed, so Vectra looked into local account configuration data. They set out to remove references to the logged-in account. What they found instead, by searching the user’s name in the app’s files, were tokens, in the clear, providing Skype and Outlook access. Each token they found was active and could grant access without triggering a two-factor challenge.

Going further, they crafted a proof-of-concept exploit. Their version downloads an SQLite engine to a local folder, uses it to scan a Teams app’s local storage for an auth token, then sends the user a high-priority message with their own token text. The potential consequences of this exploit are greater than phishing some users with their own tokens, of course:

on Microsoft’s On the Issues blog.

Electron apps have been found to harbor deep security issues before. A 2019 presentation showed how browser vulnerabilities could be used to inject code into Skype, Slack, WhatsApp, and other Electron apps. WhatsApp’s desktop Electron app was found to have another vulnerability in 2020, providing local file access through JavaScript embedded into messages.

We’ve reached out to Microsoft for comment and will update this post if we receive a response.

Vectra recommends that developers, if they “must use Electron for your application,” securely store OAuth tokens using tools such as KeyTar. Connor Peoples, security architect at Vectra, told Dark Reading that he believes Microsoft is moving away from Electron and shifting toward Progressive Web Apps, which would provide better OS-level security around cookies and storage.

Article Tags:
Article Categories:
Technology