June 9, 2023


Your Partner in The Digital Era

Microsoft Groups merchants auth tokens as cleartext in Windows, Linux, Macs

Security analysts have found a serious stability vulnerability in the desktop application for Microsoft Teams that provides threat actors accessibility to authentication tokens and accounts with multi-element authentication (MFA) turned on.

Microsoft Teams is a communication platform, provided in the 365 merchandise family, used by extra than 270 million people today for exchanging text messages, videoconferencing, and storing information.

The recently found out stability difficulty impacts variations of the software for Windows, Linux, and Mac and refers to Microsoft Groups storing user authentication tokens in obvious text without safeguarding access to them.

An attacker with area obtain on a program where by Microsoft Teams is installed could steal the tokens and use them to log into the victim’s account.

“This assault does not demand distinctive permissions or advanced malware to get absent with major interior damage,” Connor Peoples at cybersecurity corporation Vectra explains in a report this week.

The researcher provides that by using “regulate of important seats–like a company’s Head of Engineering, CEO, or CFO—attackers can convince consumers to accomplish tasks harming to the organization.”

Vectra scientists learned the problem in August 2022 and described it to Microsoft. Nonetheless, Microsoft did not concur on the severity of the situation and claimed that it won’t satisfy the requirements for patching.

Challenge particulars

Microsoft Groups is an Electron application, this means that it operates in a browser window, finish with all the things demanded by a frequent net website page (cookies, session strings, logs, etcetera.).

Electron does not support encryption or secured file destinations by default, so although the program framework is versatile and straightforward to use, it is not regarded protected ample for building mission-critical solutions until considerable customization and added function is used.

Vectra analyzed Microsoft Groups whilst hoping to obtain a way to get rid of deactivated accounts from customer applications, and uncovered an ldb file with obtain tokens in apparent text.

“Upon overview, it was decided that these entry tokens were lively and not an accidental dump of a past mistake. These accessibility tokens gave us accessibility to the Outlook and Skype APIs.” – Vectra

Moreover, the analysts learned that the “Cookies” folder also contained valid authentication tokens, alongside with account information, session facts, and advertising tags.

Authentication token on the Cookies directory
Authentication token on the Cookies listing (Vectra)

At last, Vectra created an exploit by abusing an API phone that lets sending messages to oneself. Utilizing SQLite motor to examine the Cookies databases, the researchers obtained the authentication tokens as a concept in their chat window.

Token received as text in the attacker's personal chat
Token been given as text in the attacker’s private chat (Vectra)

The biggest issue is that this flaw will be abused by information and facts-thieving malware that have turn out to be one of the most frequently dispersed paylods in phishing strategies.

Utilizing this kind of malware, threat actors will be equipped to steal Microsoft Groups authentication tokens and remotely login as the consumer, bypassing MFA and getting comprehensive entry to the account.

Data stealers are already doing this for other purposes, this kind of as Google Chrome, Microsoft Edge, Mozilla Firefox, Discord, and many more.

Chance mitigation

With a patch not likely to be produced, Vectra’s suggestion is for end users to change to the browser version of the Microsoft Groups consumer. By employing Microsoft Edge to load the application, consumers reward from additional protections towards token leaks.

The scientists advise Linux end users to transfer to a distinctive collaboaration suite, primarily because Microsoft announced programs to halt supporting the application for the platform by December.

For these that are not able to transfer to a distinctive solution promptly, they can make a checking rule to find out procedures accessing the adhering to directories:

  • [Windows] %AppData%MicrosoftTeamsCookies
  • [Windows] %AppData%MicrosoftTeamsLocal Storageleveldb
  • [macOS] ~/Library/Application Support/Microsoft/Groups/Cookies
  • [macOS] ~/Library/Application Assist/Microsoft/Groups/Local Storage/leveldb
  • [Linux] ~/.config/Microsoft/Microsoft Groups/Cookies
  • [Linux] ~/.config/Microsoft/Microsoft Teams/Nearby Storage/leveldb

BleepingComputer has contacted Microsoft about the company’s programs to launch a resolve for the situation and will update the post when we get an answer.

Update 9/14/22 – A Microsoft spokesperson despatched us the next remark relating to Vectra’s findings:

The strategy explained does not meet our bar for speedy servicing as it requires an attacker to first achieve obtain to a concentrate on network.

We respect Vectra Protect’s partnership in determining and responsibly disclosing this challenge and will contemplate addressing in a potential product or service release.