Security analysts have discovered a serious security vulnerability in the desktop app for Microsoft Teams that allows threat actors to access authentication tokens and accounts with multi-factor authentication (MFA) enabled.

Microsoft Teams is a communication platform, included in the 365 family of products, used by more than 270 million people to exchange text messages, video conferences and store files.

The recently discovered security issue affects versions of the app for Windows, Linux and Mac and refers to the fact that Microsoft Teams stores user authentication tokens in clear text without protecting access.

An attacker with local access to a system with Microsoft Teams installed could steal the tokens and use them to log into the victim’s account.

“This attack does not require special permissions or advanced malware to get away with major internal damage,” Connor Peoples of cybersecurity firm Vectra explains in a report this week.

The researcher adds that by taking control of “critical seats – such as a company’s chief engineering officer, CEO, or CFO – attackers can convince users to perform tasks that are detrimental to the organization” .

Vectra researchers discovered the issue in August 2022 and reported it to Microsoft. However, Microsoft disagreed on the severity of the issue and said it did not meet the criteria for remediation.

Problem details

Microsoft Teams is an Electron application, which means it runs in a browser window, with all the elements required by a standard web page (cookies, session strings, logs, etc.).

Electron does not support encryption or protected file locations by default, so while the software framework is versatile and easy to use, it is not considered secure enough to develop mission-critical products unless customization depth and additional work are applied.

Vectra analyzed Microsoft Teams while trying to find a way to remove disabled accounts from client apps and found a ldb file with clear text access tokens.

Additionally, analysts discovered that the “Cookies” folder also contained valid authentication tokens, as well as account information, session data, and marketing tags.

Finally, Vectra has developed an exploit by abusing an API call that allows messages to be sent to each other. Using the SQLite engine to read the Cookies database, the researchers received the authentication tokens as a message in their chat window.

The biggest concern is that this flaw will be exploited by information-stealing malware that has become one of the most commonly distributed paylods in phishing campaigns.

Using this type of malware, hackers will be able to steal Microsoft Teams authentication tokens and log in remotely as a user, bypassing MFA and gaining full account access.

Information thieves already do this for other applications, such as Google Chrome, Microsoft Edge, Mozilla Firefox, Discord and many others.

Risk mitigation

With a patch unlikely to be released, Vectra’s recommendation is that users upgrade to the Microsoft Teams client browser version. By using Microsoft Edge to sideload the app, users gain additional protections against token leaks.

The researchers advise Linux users to upgrade to another collaboration suite, especially since Microsoft has announced plans to stop supporting the app for the platform by December.

For those who cannot immediately switch to another solution, they can create a watch rule to discover processes accessing the following directories:

• [Windows] %AppData%\Microsoft\Teams\Cookies
• [Windows] %AppData%\Microsoft\Teams\Local Storage\leveldb
• [macOS] ~/Library/Application Support/Microsoft/Teams/Cookies
• [macOS] ~/Library/Application Support/Microsoft/Teams/Local Storage/leveldb
• [Linux] ~/.config/Microsoft/Microsoft Teams/Cookies
• [Linux] ~/.config/Microsoft/Microsoft Teams/Local Storage/leveldb

BleepingComputer has contacted Microsoft about the company’s plans to release a fix for the issue and will update the article when we have a response.

Update 09/14/22 – A Microsoft spokesperson sent us the following comment regarding Vectra’s findings:

The described technique does not meet our immediate service bar because it requires an attacker to first gain access to a target network.

We appreciate Vectra Protect’s partnership in identifying and responsible disclosure of this issue and will consider addressing it in a future product release.