Security analysts have found a severe security vulnerability in the desktop app for Microsoft Teams that gives threat actors access to authentication tokens and accounts with multi-factor authentication (MFA) turned on.
The article discusses the security vulnerability in Microsoft Teams, a collaboration platform used by more than 270 million people. Vectra researchers discovered the problem in August 2022, which gives threat actors access to authentication tokens and accounts with multi-factor authentication (MFA) turned on. The vulnerability is present in versions of the application for Windows, Linux, and Mac, and it is caused by the app storing user authentication tokens in clear text without protecting access to them.
An attacker with local access on a system where Microsoft Teams is installed could steal the tokens and use them to log into the victim's account. This flaw could be abused by information-stealing malware, which have become one of the most commonly distributed payloads in phishing campaigns.
Vectra's recommendation is for users to switch to the browser version of the Microsoft Teams client, and for Linux users to move to a different collaboration suite. Additionally, they advise users to create a monitoring rule to discover processes accessing certain directories. Microsoft has commented that the technique described does not meet their bar for immediate servicing, and they will consider addressing the issue in a future product release.
The article also discusses the limitations of Multi-Factor Authentication (MFA). It explains that MFA is only a small part of the security posture, and that session management is something different. It also explains that MFA is not enough to protect against stolen session tokens, as the server will not know if it is a different device.
The article suggests that Microsoft should implement a device check together with the token, and register from which device the token came. It also suggests that Microsoft should focus more on security rather than cosmetic features. In conclusion, the article explains that stolen session tokens can be used to gain access to a user's account without going through the normal authentication process, and that security on the endpoint is necessary. Microsoft should implement a device check together with the token, and register from which device the token came in order to protect against data leakage.
📓 Microsoft Teams stores auth tokens as cleartext in Windows, Linux, Macs
👉🏽 Security analysts have found a severe security vulnerability in the desktop app for Microsoft Teams that gives threat actors access to authentication tokens and accounts with multi-factor authentication (MFA) turned on. 👉🏽 Discusses security vulnerability in Microsoft Teams used by over 270 million people. 👉🏽 Vectra researchers discovered the issue in August 2022. 👉🏽 Threat actors gain access to authentication tokens and MFA-enabled accounts. 👉🏽 The vulnerability is present on Windows, Linux, and Mac versions of the app. 👉🏽 User authentication tokens are stored in plain text without access protection. 👉🏽 Attackers with local access can steal tokens and log into victim accounts. 👉🏽 Limitations of Multi-Factor Authentication (MFA) and the need for device check. 👉🏽 Vectra recommends switching to browser version or different collaboration suite. 👉🏽 Microsoft has no plans for immediate servicing but may address in future releases. 👉🏽 Stolen session tokens can lead to data leakage, and security on endpoint devices is crucial.
#MicrosoftTeams #SecurityVulnerability #AuthenticationTokens #MultiFactorAuthentication #SessionManagement