Microsoft Teams Client Stores User Authentication Tokens in Unsecured Text Format

Key Points

A new Microsoft Teams exploit could allow attackers to access sensitive user data.
Microsoft Teams saves auth tokens as cleartext on Windows, Linux, and Mac computers.
Businesses can protect themselves from this exploit by taking some security precautions.

A security vulnerability has been discovered in Microsoft Teams that could allow an attacker to gain access to a user’s account and data. The issue lies in that Teams stores authentication tokens in cleartext, meaning that anyone with access to the application’s installation directory can easily steal them. This issue affects Windows, Mac, and Linux users.

Microsoft has acknowledged the flaw, but there is no indication that a patch will soon be released. In the meantime, users are advised to exercise caution when using the application and to avoid accessing it from untrusted devices or networks. It is also advised to avoid using the Microsoft Teams desktop client altogether until this issue has been fixed. Using the web client in a browser is a more secure option.

Security Alert: Microsoft Teams Vulnerability

The flaw was discovered by the cybersecurity firm Vectra. A Vectra team assisted a customer in removing a disabled account from the Teams settings. Upon further review, Vectra found public tokens that provided access to Skype and Outlook. Vectra determined that the access tokens were active and gave them access to the Outlook and Skype APIs.

The biggest concern is that this flaw could be exploited by malicious actors to steal Microsoft Teams authentication tokens. This would allow them to remotely log in as the user and bypass MFA, gaining full access to the account. Information thieves use similar methods to steal data from other applications, such as Google Chrome, Microsoft Edge, Mozilla Firefox, Discord, and many more. By using malicious extensions, they can collect user data and send it to remote servers without the user’s knowledge.

How Does the Exploit Work?

Microsoft Teams is a browser-based app that uses the Electron framework. This makes it easy to develop and use, but it is not as secure as other options since it doesn’t include features like encryption or protected file locations. Vectra found that Microsoft Teams stores access tokens in an ldb file, which is not as secure as other methods.

Microsoft requires users to be logged in to uninstall Teams, so Vectra began their research by reviewing the local account configuration data. The Vectra team intended to remove the links to the account they were logged into, but when they searched for the username in the application files, they found public tokens that provided access to Skype and Outlook. Every token they found was active and could grant access without the two-factor authentication process being enabled.

They also found that the “Cookies” folder contained valid authentication tokens, account information, session data, and marketing tags. To prove their concept, Vectra created an exploit that loads the SQLite engine into a local folder, uses it to scan Teams’ local storage for authentication, and then sends a high-priority message with its own token text to the user. This exploit would allow hackers to access sensitive user data without going through the proper channels.

Microsoft Responds to Flaw Discovery

Microsoft has responded to the discovery of a flaw in Microsoft Teams by stating the Vectra exploit “does not meet our immediate service requirements”. Microsoft believes that Vectra’s exploit will require other vulnerabilities to penetrate the network. Microsoft will consider releasing a fix that could be delivered as a future update. However, the software giant has not yet provided a timeline for when that might happen.

The Potential Implications of the Exploit

If left unpatched, this flaw could have major implications for users of Microsoft Teams. While phishing users with their own tokens is one of the potential attack vectors, it is not the only one. An attacker could also use this flaw to brute force their way into an account or carry out other actions that could lead to data loss or theft.

If the Microsoft Teams client is installed and used in its current state, anyone who does so will still have the credentials needed to do any action through the Teams user interface, even when Teams is turned off. Attackers could modify SharePoint files, Outlook mail, calendars, and Teams chat files. They could also carry out more damaging actions, such as selectively destroying data, hijacking communications, or engaging in targeted phishing attacks.

What Can Businesses Do to Protect Themselves?

Fortunately, some steps businesses can take to protect themselves from this exploit. First and foremost, it’s important to ensure that all users have unique passwords for each account they use. Additionally, businesses should consider implementing two-factor authentication for all accounts. Finally, businesses should keep their software up-to-date with the latest security patches. By taking these precautions, businesses can help mitigate the risk posed by this exploit.

Here are some additional security measures businesses can take:

Do not store sensitive information in Teams chat conversations
Monitor process activity for unusual command line arguments related to your chat application (in this case Microsoft Teams)
Implement network detection and response to quickly identify and block malicious traffic associated with lateral movement within your environment
Switch to the browser version of Teams

Vectra recommends using Microsoft Edge to load the app, providing additional protections against token leaks. If you’re a Linux user of the Microsoft Teams app, you may want to switch to the browser version or a different collaboration suite. This is because Microsoft has announced plans to stop supporting the app for Linux by December.

Final Thoughts

This exploit’s discovery highlights the importance of security in the business world. Businesses can help protect themselves from potential attacks by taking some simple precautions. However, it’s also important to stay up-to-date on the latest security threats so that you can be prepared if another exploit is discovered.