Microsoft’s workplace-centric messaging app, Teams, stores authentication tokens in an unencrypted, plain-text format — potentially allowing attackers to control conversations and move laterally within a network.
Security firm Vectra Protect claims the vulnerability affects the desktop app for Windows, Mac, and Linux, developed using the Microsoft Electron framework.
Although Electron is based on web technologies, it does not support standard browser features such as encryption or system-protected file locations.
Vectra researchers identified the issue last month and reported it to Microsoft. However, the company said it has no immediate plans to fix the flaw because it does not meet the requirements for patching and because any exploit would require local network access.
Over 270 million people use Microsoft Teams to exchange text messages, host video conferences, and store files.
In an effort to find a way to delete inactive accounts from client apps, Vectra researched Microsoft Teams and discovered one ldb File with access token in plain text.
The researchers also found that the Cookies folder contained valid authentication tokens, account information, session data, marketing tags, and more.
Vectra developed a proof-of-concept exploit using an API call that they could use to send a message to a credential holder’s account via an access token.
The researchers used the SQLite engine to read the cookies database and received the authentication tokens as a message in their chat window.
Connor Peoples of Vectra said attackers could use the tokens to leverage the identity of the token holder for all Teams client-enabled activities, including accessing Microsoft Graph API services on their own workstation.
Attackers could also perform operations against accounts configured with multi-factor authentication, thereby bypassing MFA.
“When attackers take full control of critical workplaces—like a company’s chief technology officer, CEO, or CFO—they can convince users to perform tasks that harm the business,” warns Vectra Protect.
“The technique described does not meet our requirements for immediate maintenance, since an attacker must first gain access to a target network.” said a Microsoft spokesman Dark Reading.
The spokesperson added that the company will consider fixing the bug in a future product release.
“We appreciate Vectra Protect’s partnership in identifying and responsibly disclosing this issue and will consider a resolution [it] in a future product release.”
Vectra advises users not to use the Microsoft Teams desktop app until a patch is available. Alternatively, users can use the Teams web app, which has additional security measures.
According to threat hunter John Bambenek, Microsoft is working on progressive web app (PWA) technologies, which he believes would mitigate many of the problems currently caused by Electron.