A significant vulnerability affects the Microsoft Teams desktop application and allows an attacker to access user authentication tokens! With this token, he can re-authenticate with the same account on another machine.
In just a few years, Microsoft Teams has become an essential collaborative solution, and today it has more than 270 million users!
The new security flaw affects the Microsoft Teams application that you install on your computer to avoid using the web version, and it concerns applications for Windows, Linux and macOS! It turns out that Teams stores the user’s authentication token in the clear on disk (an ldb file) and without protecting access to this sensitive information. An attacker with access to a machine where Teams is installed and connected to a user account can steal the authentication token in order to re-authenticate with the user’s account, including if protected by MFA !
As specified Connor Peoples from Vectra : “This attack does not require special permissions or advanced malware to do significant damage“. Indeed, one can imagine that if the attacker recovers the authentication token from the account of the General Manager of the company, he can perform actions that are detrimental to the company, or even convince users to perform certain actions. in the name of the Grand Patron.
Microsoft Teams is an application based on the Electron framework (like many other desktop versions of popular applications) and this application supports the same functions as when used in browser mode: cookies, sessions, logs, etc. The problem is that Electron does not support encryption or file protection by default., and that this implies significant work to correct these two shortcomings. On such popular applications, and therefore critical, we would however like this to be done.
By analyzing how Teams works, researchers at Vecta found that the “Cookies” folder contained valid authentication tokens, as well as account information, session data, and marketing tags. This is particularly dangerous because malware that steals information, especially from browsers, is becoming more common. As I said before, by stealing this data, an attacker can re-authenticate with the user’s account on another machine.
How to protect against authentication token theft?
Vectra researchers discovered this security issue in August 2022 and reported it to Microsoft. However, Microsoft does not seem to agree on the level of severity of this security flaw, and for the moment this vulnerability is not corrected, but it would be on the agenda in a future version of Teams. The American company believes that this is not urgent, because to exploit this vulnerability, the attacker must already access the target machine in another way. This response from Microsoft reminds me of another attack technique called GIFShell, discussed last week.
Vectra recommends that users no longer use the desktop application of Teams, but use the web version of Teams, for example with Microsoft Edge. This is sufficient to protect against authentication token theft. Otherwise, you should monitor the processes that access these elements:
- [Windows] %AppData%\Microsoft\Teams\Cookies
- [Windows] %AppData%\Microsoft\Teams\Local Storage\leveldb
- [macOS] ~/Library/Application Support/Microsoft/Teams/Cookies
- [macOS] ~/Library/Application Support/Microsoft/Teams/Local Storage/leveldb
- [Linux] ~/.config/Microsoft/Microsoft Teams/Cookies
- [Linux] ~/.config/Microsoft/Microsoft Teams/Local Storage/leveldb
To be continued…
Logiciel – OS,Sécurité,Microsoft Teams,
#Microsoft #Teams #stores #authentication #tokens #clear