Change language

Microsoft Teams application stores authentication tokens unencrypted, developers do not consider this critical

Vectra has discovered that the Microsoft Teams desktop application in Windows, Linux and Mac versions stores authentication tokens in plain, unencrypted text. Microsoft developers are aware of the situation. They don't consider it a critical problem.

See also: Best laptop for hacking

Security analysts believe it's a serious security vulnerability in the Microsoft Teams application that gives attackers access to authentication tokens and accounts with multi-factor authentication (MFA) enabled. Not only does Microsoft Teams store user authentication tokens in the clear, but it also does not secure access to the files containing this data in any way.

An attacker or insider with local access to a system where Microsoft Teams is installed can copy authentication tokens and use them to log in to the victim's account. Vectra researchers discovered the problem in August 2022 and reported it to Microsoft.

Microsoft Teams is an application created using the Electron desktop application development framework. It runs in a browser window with all the elements needed for a normal web page (cookies, session strings, logs, and so on). By default, Electron does not support encryption or secure file locations. Among experts, this way of creating applications is not considered secure enough for developing mission-critical products, unless additional data protection systems are applied to them.

Vectra experts initially decided to analyze Microsoft Teams, trying to find a way to remove deactivated accounts from client applications. In the process, they discovered the ldb file with the authentication tokens in the clear.

image

Upon verification, it was found that these tokens were active and were not an accidental data dump that had occurred on the system due to an error. These tokens gave security experts access to the user's Outlook and Skype accounts.

image

In addition, analysts found that the Cookies folder also contained valid authentication tokens, as well as account information, session data and marketing tags from the Microsoft Teams application.

image

The researchers developed an exploit with which they were able to retrieve and verify their new tokens.

image

Vectra experts believe that attackers could scan other computers on the network for similar tokens and hijack control over Microsoft Teams user accounts.

Microsoft disagreed with the seriousness of the problem and said it did not meet the criteria for a quick fix. "The technique described in the attack does not meet our bar for an immediate response, as it requires the attacker to first gain access to the client's internal network or have local access to the victim's PC," Microsoft explained.

Microsoft thanked Vectra for disclosing information on the issue and promised to consider addressing it in a future version of the Microsoft Teams app without specifying a patch release date.

Vectra experts recommend users to delete Microsoft Teams application and all related files and use only the browser version of the Microsoft Teams client, which has additional data protection and authentication token leak blocking.

Featured book: CompTIA A+ book PDF version

System administrators whose companies cannot switch to another solution are encouraged to create a monitoring rule to detect processes accessing the following directories:

  • [Windows] %AppData%\Microsoft\Teams\Cookies;
  • [Windows] %AppData%\Microsoft\Teams\Local Storage\leveldb;
  • [macOS] ~/Library/Application Support/Microsoft/Teams/Cookies;
  • [macOS] ~/Library/Application Support/Microsoft/Teams/Local Storage/leveldb;
  • [Linux] ~/.config/Microsoft/Microsoft Teams/Cookies;
  • [Linux] ~/.config/Microsoft/Microsoft Teams/Local Storage/leveldb.

Shop

Learn programming in R: courses

$

Best Python online courses for 2022

$

Best laptop for Fortnite

$

Best laptop for Excel

$

Best laptop for Solidworks

$

Best laptop for Roblox

$

Best computer for crypto mining

$

Best laptop for Sims 4

$

Latest questions

NUMPYNUMPY

Common xlabel/ylabel for matplotlib subplots

12 answers

NUMPYNUMPY

How to specify multiple return types using type-hints

12 answers

NUMPYNUMPY

Why do I get "Pickle - EOFError: Ran out of input" reading an empty file?

12 answers

NUMPYNUMPY

Flake8: Ignore specific warning for entire file

12 answers

NUMPYNUMPY

glob exclude pattern

12 answers

NUMPYNUMPY

How to avoid HTTP error 429 (Too Many Requests) python

12 answers

NUMPYNUMPY

Python CSV error: line contains NULL byte

12 answers

NUMPYNUMPY

csv.Error: iterator should return strings, not bytes

12 answers

News


Wiki

Python | How to copy data from one Excel sheet to another

Common xlabel/ylabel for matplotlib subplots

Check if one list is a subset of another in Python

sin

How to specify multiple return types using type-hints

exp

Printing words vertically in Python

exp

Python Extract words from a given string

Cyclic redundancy check in Python

Finding mean, median, mode in Python without libraries

cos

Python add suffix / add prefix to strings in a list

Why do I get "Pickle - EOFError: Ran out of input" reading an empty file?

Python - Move item to the end of the list

Python - Print list vertically