Microsoft Teams security flaw lets hackers steal accounts - and there’s no fix in sight

Microsoft Teams Rooms
(Image credit: Microsoft)

There is a security flaw in Microsoft Teams that allows threat actors to log into other people’s accounts, even if those accounts are protected with multi-factor authentication, researchers have claimed.

Cybersecurity analysts from Vectra say the Teams desktop application for Windows, Linux, and Mac, stores user authentication tokens in cleartext, without any locks guarding the access. Anyone with local access to a system with Teams installed can steal these tokens and use them to log into the accounts. 

"This attack does not require special permissions or advanced malware to get away with major internal damage," Vectra’s Connor Peoples said - Microsoft, on the other hand, says the whole deal is blown out of proportion and it is not interested in addressing the issue at this time.

Active tokens

The problem lies in the fact that Microsoft Teams is an Electron app, running in a browser windows. As Electron does not come with support for encryption, or protected file locations by default, it is somewhat easier to use, but also risky on the data protection side of things. Deeper analysis uncovered that the tokens were not stored in error, or as part of a previous data dump. 

"Upon review, it was determined that these access tokens were active and not an accidental dump of a previous error. These access tokens gave us access to the Outlook and Skype APIs,” Vectra explained. What’s more, the “cookies” folder also held tokens, account information, session data, and other valuable information. 

But Microsoft played the whole thing down, saying it isn’t that severe and that it doesn’t meet the criteria for patching.

In a statement sent to BleepingComputer, Microsoft said “The technique described does not meet our bar for immediate servicing as it requires an attacker to first gain access to a target network. We appreciate Vectra Protect’s partnership in identifying and responsibly disclosing this issue and will consider addressing in a future product release.”

Vectra, on the other hand, disagrees, and to prove its point, it developed an exploit that abuses an API call, allowing a user to send messages to themselves. By reading the cookies database through SQLite engine, the exploit was able to receive the authentication tokens in a message. 

If you’re worried about your business having its tokens snatched, you should switch to the browser version of the Teams client, Vectra suggests. Linux users should migrate to a different collaboration platform, as well. 

Via: BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.