Auth Token Mining Weakens Microsoft Teams Security
Microsoft Teams users, beware. Anyone signed into the app can have their credentials stolen by miscreants with file system access who follow an attack path recently identified by the Vectra Protect team. And at the heart of the matter is the security-issue-plagued Electron.
“Attackers do not require elevated permissions to read these files, which exposes this concern to any attack that provides malicious actors with local or remote system access,” Connor Peoples, SSPM architect at Vectra, wrote in a blog post, adding that the vulnerability impacts all commercial and GCC Desktop Teams clients for Windows, Mac and Linux.
“Our research discovered that the Microsoft Teams App stores authentication tokens in cleartext,” Peoples wrote. “With these tokens, attackers can assume the token holder’s identity for any actions possible through the Microsoft Teams client, including using that token for accessing Microsoft Graph API functions from an attacker’s system.”
As if that’s not bad enough, attackers can use the stolen tokens “to conduct actions against MFA-enabled accounts, creating an MFA bypass,” Vectra’s Peoples found.
The Vectra Protect team first became aware of the problem when a customer complained about the way Teams manages disabled identities, noting that end users can’t remove deactivated accounts via the UI. That’s because “the Teams application requires the account to be signed in to remove it from the client,” Peoples said. “Of course, users cannot do this when their user account is disabled.”
When the Vectra Protect team looked at the local configuration data inside the Teams client,” they found the problem lay with Teams being an Electron-based app.
“Electron works by creating a web application that runs through a customized browser” and while that is “very convenient and makes development quick and easy,” Peoples said, “running a web browser within the context of an application requires traditional browser data like cookies, session strings and logs.”
That can result in “developers who do not fully understand how Electron works” creating “overly transparent applications,” Peoples wrote.
“Since Electron obfuscates the complexities of creating the application, it is safe to assume that developers are unaware of the ramifications of their design decisions,” he said. “Electron does not support standard browser controls like encryption, and system-protected file locations are not supported by Electron out of the box and must be managed effectively to remain secure.”
During their probe, the researchers discovered an ldb file with access tokens in clear text that were active—those tokens provided access to Outlook and Skype APIs. “It is important to know that the Microsoft Teams architecture is a conglomeration of a wide variety of M365 services that relies on Skype, SharePoint and Outlook to function—this explains the presence of these tokens,” Peoples said.
They also ran across a browser Cookies database housing all the cookies a user agrees to on every website. They quickly discovered Teams Desktop was storing tokens there as well. “We evaluated each token against the Microsoft jwt validation service, https://jwt.ms. Each token we found was active and worked without requiring additional authentication,” Peoples said. “The realization began to dawn that the initial problem of having to re-install Teams was a much smaller issue than the glaring identity abuse potentially looming in the Microsoft Teams client.”
Microsoft stores credentials so that users have “a seamless single sign-on experience within the desktop application,” Peoples said, but the “implementation of security controls enables attackers to access tokens.”
As a result, the desktop app “creates opportunities for attackers to use credentials outside their intended context because, unlike modern browsers, there are no additional security controls to protect cookie data.”
Those who install and use the Teams client in this state also store credentials “needed to perform any action possible through the Teams UI, even when Teams is shut down,” Peoples said. “This enables attackers to modify SharePoint files, Outlook mail and calendars, and Teams chat files. Even more damaging, attackers can tamper with legitimate communications within an organization by selectively destroying, exfiltrating, or engaging in targeted phishing attacks. There is no limit to an attacker’s ability to move through your company’s environment at this point.”
But what is most frightening about an attack exploiting this is that “[i]t does not require special permissions or advanced malware to get away with major internal damage.”
And “with enough compromised machines, attackers can orchestrate communications within an organization,” according to Vectra Protect’s Peoples. “Assuming full control of critical seats–like a company’s head of engineering, CEO or CFO—attackers can convince users to perform tasks damaging to the organization. How do you practice phish testing for this?”
“In essence, this is the still-unsolved problem of stealing cookies and other web credentials by attackers with local access,” said John Bambenek, principal threat hunter at Netenrich. “That isn’t to say it’s not significant.”
Bambenek explained that “the fundamental problem is that attackers can steal a cookie and use it on any number of machines to replay an authenticated machine.”
To alleviate the problem, he said he “would like to see developers and tech companies send these credentials hashed with some local-machine specific information so cookie and credential relay attackers would disappear entirely.”
According to Peoples, Microsoft is aware of the issue, but because it does not meet or exceed the bar for immediate action, the company closed the case. “Until Microsoft moves to update the Teams Desktop Application, we believe customers should consider using the web-based Teams application exclusively,” he said. “For customers who must use the installed desktop application, it is critical to watch key application files for access by any processes other than the official Teams application.”
