Researchers warn that there is a risk of account hijacking because Microsoft Teams authentication tokens are stored in plaintext
The desktop app of the online video conferencing tool '
Undermining Microsoft Teams Security by Mining Tokens
https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens
Microsoft Teams stores auth tokens as cleartext in Windows, Linux, Macs
https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/
According to security firm Vectra , the security issue discovered was due to Microsoft Teams not storing user authentication tokens in plaintext to protect access.
Microsoft Teams is an application based on the software framework ' Electron ' that runs in a browser window complete with cookies, session IDs, logs, etc. that a normal web page needs.
Electron's software framework is versatile and easy to use, but it doesn't support encryption or protected file locations by default, so it's safe enough to develop a product that can't afford a fatal flaw. is expected to require extensive customization and additional work.
When Vectra was looking for a way to delete old accounts from Microsoft Teams, he found an ldb file in which access tokens related to account authentication were written in plaintext. Cookies containing session IDs and ad tags were found in another folder, and tokens were also stored in plaintext here.
Vectra then developed an exploit that abused an API call that allowed it to send messages to itself. As a result, by using SQLite to read the aforementioned cookie database, it was possible to receive the authentication token as a message.
Vectra said, ``The biggest concern is that this flaw will be exploited by information-stealing malware. We are concerned that full access to
Vectra discovered this vulnerability in August 2022 and reported it to Microsoft, but Microsoft disagreed with the severity presented by Vectra and said it did not meet the patch application criteria. When the news site BleepingComputer contacted Microsoft, ``In this strategy, the attacker must first access the target network, so it does not meet the criteria that an immediate fix is required. We thank Vectra for their cooperation in identifying and responsibly disclosing the issue, and will consider addressing it in future product releases.'
With no prospect of a patch being released, Vectra recommends that users use the browser version of Microsoft Teams instead of the app.
Related Posts: