Teams desktop app is storing authentication tokens without access protection

September 15, 2022

Security experts from the cybersecurity company Vectra reported a finding showing a severe security issue in the Microsoft Teams desktop app on Windows, Linux, and Mac. According to the group, bad actors can bypass the multi-factor authentication protection of users through this vulnerability by stealing the authentication tokens, giving them a way to access the user’s account. (via Bleeping Computer)

Vectra found an ldb file while trying to remove deactivated accounts from client apps. According to the analysts, the file came with access tokens in clear text. This clearly indicates Microsoft Teams stores the user authentication tokens without proper protection in accessing them. “Upon review, it was determined that these access tokens were active and not an accidental dump of a previous error,” explained Vectra. “These access tokens gave us access to the Outlook and Skype APIs.”

This can be a serious problem in case a bad actor can already access the system locally where the Teams is installed. Through this vulnerability, the tokens are left unprotected. And with different information-stealing malware prowling everywhere now, it can mean danger for Microsoft Teams users. “This attack does not require special permissions or advanced malware to get away with major internal damage,” Vectra’s Connor Peoples added.

Vectra found the issue last month and immediately reported it to Microsoft. However, just like the “insecure” Teams design elements shared by cybersecurity consultant Bobby Rauch in May and June of 2022, Microsoft dismissed the idea of severity being claimed by Vectra. 

“The technique described does not meet our bar for immediate servicing as it requires an attacker to first gain access to a target network,” Microsoft told Bleeping Computer when asked for a comment. “We appreciate Vectra Protect’s partnership in identifying and responsibly disclosing this issue and will consider addressing in a future product release.”

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}