Access to Microsoft Teams Authentication Tokens Is Possible without Downloading Complex Malware

Information security specialists have discovered a serious vulnerability in the Microsoft Teams desktop application: a bug allows access to authentication tokens, which, as it turns out, are stored in plain text format, without any protection.

Let me remind you that we also reported that SVCReady Malware Loader Uses Microsoft Office Documents for Attack. Researchers from the information security company Vectra talk about the problem. According to them, the vulnerability affects desktop versions of the application for Windows, Linux and macOS. In fact, an attacker with local access on a system where Microsoft Teams is installed could steal insecure tokens and then use them to sign into someone else’s account.

The researcher adds that by seizing control of the tokens of the head of development, CEO or CFO, attackers can convince other employees of the victim company to perform tasks that will harm the organization. Vectra specialists write that they discovered this problem in August 2022 and immediately reported it to Microsoft, but the developers did not agree that this was a serious problem, saying that it could not be fixed. The thing is that in order to implement an attack, a hacker first needs to gain access to the victim’s network. The root of this error goes back to the fact that Microsoft Teams is an Electron app. That is, it runs in a browser window with all the elements needed for a normal web page (cookies, session strings, logs, and so on). By default, Electron does not support encryption or secure file locations, so while this software environment is versatile and easy to use, it is not considered secure for mission-critical product development. Vectra analysts Microsoft Teams researchers are looking for a way to remove deactivated accounts from client applications, but instead found an ldb file with access tokens in clear text. In addition, they found that the Cookies folder contained valid authentication tokens, as well as account information, session data, and marketing tags. After this discovery, the company created an exploit that abuses the API call, which allows you to send messages to yourself. Using SQLite to read the Cookies database, the researchers managed to obtain authentication tokens via chat messages. In fact, this method can be adopted by operators of infostealers, who will be able to use Microsoft Teams authentication tokens to bypass multi-factor authentication and gain full access to victims’ accounts. Since there will most likely not be a patch, Vectra recommends that users switch to the browser-based version of Microsoft Teams. They are also advising Linux users to switch to a different collaboration product, especially since Microsoft recently announced that it plans to end support for the platform by December.