Microsoft Teams Client Stores User Authentication Tokens in Unsecured Text Format

Key Points

  • A new Microsoft Teams exploit could allow attackers to access sensitive user data.
  • Microsoft Teams saves auth tokens as cleartext on Windows, Linux, and Mac computers.
  • Businesses can protect themselves from this exploit by taking some security precautions.

A security vulnerability has been discovered in Microsoft Teams that could allow an attacker to gain access to a user’s account and data. The issue lies in that Teams stores authentication tokens in cleartext, meaning that anyone with access to the application’s installation directory can easily steal them. This issue affects Windows, Mac, and Linux users.

Microsoft has acknowledged the flaw, but there is no indication that a patch will soon be released. In the meantime, users are advised to exercise caution when using the application and to avoid accessing it from untrusted devices or networks. It is also advised to avoid using the Microsoft Teams desktop client altogether until this issue has been fixed. Using the web client in a browser is a more secure option.

Microsoft Teams Client Stores User Authentication Tokens in Unsecured Text Format

Hear From Our
Happy Clients

Read Our Reviews

Security Alert: Microsoft Teams Vulnerability

The flaw was discovered by the cybersecurity firm Vectra. A Vectra team assisted a customer in removing a disabled account from the Teams settings. Upon further review, Vectra found public tokens that provided access to Skype and Outlook. Vectra determined that the access tokens were active and gave them access to the Outlook and Skype APIs.

The biggest concern is that this flaw could be exploited by malicious actors to steal Microsoft Teams authentication tokens. This would allow them to remotely log in as the user and bypass MFA, gaining full access to the account. Information thieves use similar methods to steal data from other applications, such as Google Chrome, Microsoft Edge, Mozilla Firefox, Discord, and many more. By using malicious extensions, they can collect user data and send it to remote servers without the user’s knowledge.

How Does the Exploit Work?

Microsoft Teams is a browser-based app that uses the Electron framework. This makes it easy to develop and use, but it is not as secure as other options since it doesn’t include features like encryption or protected file locations. Vectra found that Microsoft Teams stores access tokens in an ldb file, which is not as secure as other methods.

Microsoft requires users to be logged in to uninstall Teams, so Vectra began their research by reviewing the local account configuration data. The Vectra team intended to remove the links to the account they were logged into, but when they searched for the username in the application files, they found public tokens that provided access to Skype and Outlook. Every token they found was active and could grant access without the two-factor authentication process being enabled.

They also found that the “Cookies” folder contained valid authentication tokens, account information, session data, and marketing tags. To prove their concept, Vectra created an exploit that loads the SQLite engine into a local folder, uses it to scan Teams’ local storage for authentication, and then sends a high-priority message with its own token text to the user. This exploit would allow hackers to access sensitive user data without going through the proper channels.

Microsoft Responds to Flaw Discovery

Microsoft has responded to the discovery of a flaw in Microsoft Teams by stating the Vectra exploit “does not meet our immediate service requirements”. Microsoft believes that Vectra’s exploit will require other vulnerabilities to penetrate the network. Microsoft will consider releasing a fix that could be delivered as a future update. However, the software giant has not yet provided a timeline for when that might happen.

The Potential Implications of the Exploit

If left unpatched, this flaw could have major implications for users of Microsoft Teams. While phishing users with their own tokens is one of the potential attack vectors, it is not the only one. An attacker could also use this flaw to brute force their way into an account or carry out other actions that could lead to data loss or theft.

If the Microsoft Teams client is installed and used in its current state, anyone who does so will still have the credentials needed to do any action through the Teams user interface, even when Teams is turned off. Attackers could modify SharePoint files, Outlook mail, calendars, and Teams chat files. They could also carry out more damaging actions, such as selectively destroying data, hijacking communications, or engaging in targeted phishing attacks.

What Can Businesses Do to Protect Themselves?

Fortunately, some steps businesses can take to protect themselves from this exploit. First and foremost, it’s important to ensure that all users have unique passwords for each account they use. Additionally, businesses should consider implementing two-factor authentication for all accounts. Finally, businesses should keep their software up-to-date with the latest security patches. By taking these precautions, businesses can help mitigate the risk posed by this exploit.

Here are some additional security measures businesses can take:

  • Do not store sensitive information in Teams chat conversations
  • Monitor process activity for unusual command line arguments related to your chat application (in this case Microsoft Teams)
  • Implement network detection and response to quickly identify and block malicious traffic associated with lateral movement within your environment
  • Switch to the browser version of Teams

Vectra recommends using Microsoft Edge to load the app, providing additional protections against token leaks. If you’re a Linux user of the Microsoft Teams app, you may want to switch to the browser version or a different collaboration suite. This is because Microsoft has announced plans to stop supporting the app for Linux by December.

Final Thoughts

This exploit’s discovery highlights the importance of security in the business world. Businesses can help protect themselves from potential attacks by taking some simple precautions. However, it’s also important to stay up-to-date on the latest security threats so that you can be prepared if another exploit is discovered.

Check Out Some Of Our Awesome Client Success Stories

Air Partners and Pure IT A Collaboration for Excellence

Air Partners and Pure IT
A Collaboration for Excellence

Discover the Winning Partnership: Air Partners and Pure IT – Calgary’s IT Services Triumph! Explore their journey to IT excellence in Calgary, uncovering the keys to their success. Read more now.

Read More
October 26, 2023
Poor Cybersecurity Will Cost You Clients

Poor Cybersecurity Will Cost You Clients

Once your clients find out you’re vulnerable, they won’t stick around for long. That was the case for this legal firm—until they got in touch with Pure IT.

Read More
April 7, 2022
Local Food Brokerage Company Saves 45% On Their IT Bill

Local Food Brokerage Company Saves 45% On Their IT Bill

Our previous IT company was trying to quote us a $250,000, when we took over, we figured out what was going on, we decided to make a change.

Read More
November 3, 2021