Microsoft Teams, the collaboration platform included in the Office 365 suite, has been found to store authentication tokens in cleartext on Windows, Linux and Mac devices according to security researchers at Vectra. The vulnerability exists for the Teams desktop client, and does not affect Teams while used in a browser.
Over 270 million users are registered with Microsoft Teams.
However, attacks can leverage the authentication tokens to then access accounts and defeat multi-factor authentication (MFA).
With authentication tokens stored as clear text, the accounts have no other mechanism for protection from an account hijack. Attackers would be able to take the authentication tokens and log into the victim’s account.
Connor Peoples, researcher at Vectra explains in a report:
"By taking control of critical seats–like a company's Head of Engineering, CEO, or CFO—attackers can convince users to perform tasks damaging to the organization."
Vectra first discovered and reported the finding to Microsoft in August, 2022. Shockingly, Microsoft disagreed with the severity of the vulnerability and said that it doesn’t meet the criteria for patching.
Vectra’s sole recommendation given Microsoft’s lack of response is to use Teams in a web browser exclusively – ideally Edge.
System administrators and security teams should monitor the following directories for any processes that access the following directories:
- [Windows] %AppData%\Microsoft\Teams\Cookies
- [Windows] %AppData%\Microsoft\Teams\Local Storage\leveldb
- [macOS] ~/Library/Application Support/Microsoft/Teams/Cookies
- [macOS] ~/Library/Application Support/Microsoft/Teams/Local Storage/leveldb
- [Linux] ~/.config/Microsoft/Microsoft Teams/Cookies
- [Linux] ~/.config/Microsoft/Microsoft Teams/Local Storage/leveldb
Despite repeated attempts from the cybersecurity community to force Microsoft to release a patch, Microsoft said in a statement that it will only “consider addressing [this issue] in a future product release.”
Microsoft also believes that the risk is low, since this attack requires an attacker to first breach the target network:
“The technique described does not meet our bar for immediate servicing as it requires an attacker to first gain access to a target network.”
Unacceptable to say the least.
