Security Researcher found a critical vulnerability in Microsoft Teams Desktop App that is exposing authentication tokens. The vulnerability allows attackers to access accounts using these tokens even if multi-factor authentication (MFA) has been enabled. Customers should rely on Teams web applications or monitor access to MS Teams data through processes, as Microsoft will not close this vulnerability immediately.

Microsoft Teams is a communication and collaboration platform developed by Microsoft that combines chat, meetings, notes and attachments. The Teams service is integrated into the Microsoft 365 suite with Microsoft Office and Skype/Skype for Business.

The Affected versions of the application is vulnerable for Windows, Linux, and Mac and refers to Microsoft Teams storing user authentication tokens in clear text without using any type of encryption algorithms. 

An attacker with local access on a system where Microsoft Teams is installed could steal the tokens and use them to log into the victim’s account.

This attack does not require special permissions or advanced malware to get away with major internal damage

The researcher adds that by taking control of critical seats–like a company’s Head of Engineering, CEO, or CFO—attackers can convince users to perform tasks damaging to the organization.

The researchers discovered the problem in August 2022 and reported it to Microsoft. However, Microsoft did not agree on the severity of the issue and said that it doesn’t meet the criteria for patching.

 

Problem Details

During their investigation, they came across the Electron framework, which is used to build the Microsoft Teams app. Electron lets you create a web application that runs through a custom browser. This is very convenient and makes development quick and easy. Microsoft relies on Electron to deliver the app on multiple platforms.

Electron does not support encryption or protected file locations by default, so while the software framework is versatile and easy to use, it is not considered secure enough for developing mission-critical products unless extensive customization and additional work is applied.

The researcher analyzed Microsoft Teams while trying to find a way to remove deactivated accounts from client apps, and found an ldb file with access tokens in clear text.

Additionally, the analysts discovered that the “Cookies” folder also contained valid authentication tokens, along with account information, session data, and marketing tags.

Finally, the researcher developed an exploit by abusing an API call that allows sending messages to oneself. Using SQLite engine to read the Cookies database, the researchers received the authentication tokens as a message in their chat window.

 

Recommendations

The recommendation for users is to switch to the browser version of the Microsoft Teams client. By using Microsoft Edge to load the app, users benefit from additional protections against token leaks.

For those that can’t move to a different solution immediately, they can create a monitoring rule to discover processes accessing the following directories:

• [Windows] %AppData%\Microsoft\Teams\Cookies
• [Windows] %AppData%\Microsoft\Teams\Local Storage\leveldb
• [macOS] ~/Library/Application Support/Microsoft/Teams/Cookies
• [macOS] ~/Library/Application Support/Microsoft/Teams/Local Storage/leveldb
• [Linux] ~/.config/Microsoft/Microsoft Teams/Cookies
• [Linux] ~/.config/Microsoft/Microsoft Teams/Local Storage/leveldb