Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Microsoft Privacy

Microsoft Teams Stores Auth Tokens As Cleartext In Windows, Linux, Macs (bleepingcomputer.com) 32

Security analysts have found a severe security vulnerability in the desktop app for Microsoft Teams that gives threat actors access to authentication tokens and accounts with multi-factor authentication (MFA) turned on. BleepingComputer reports: "This attack does not require special permissions or advanced malware to get away with major internal damage," Connor Peoples at cybersecurity company Vectra explains in a report this week. The researcher adds that by taking "control of critical seats -- like a company's Head of Engineering, CEO, or CFO -- attackers can convince users to perform tasks damaging to the organization." Vectra researchers discovered the problem in August 2022 and reported it to Microsoft. However, Microsoft did not agree on the severity of the issue and said that it doesn't meet the criteria for patching.

With a patch unlikely to be released, Vectra's recommendation is for users to switch to the browser version of the Microsoft Teams client. By using Microsoft Edge to load the app, users benefit from additional protections against token leaks. The researchers advise Linux users to move to a different collaboration suite, especially since Microsoft announced plans to stop supporting the app for the platform by December.

This discussion has been archived. No new comments can be posted.

Microsoft Teams Stores Auth Tokens As Cleartext In Windows, Linux, Macs

Comments Filter:
  • by dark.nebulae ( 3950923 ) on Wednesday September 14, 2022 @06:28PM (#62882839)

    M$ Teams is probably the worst slack clone ever, it really sucks balls...

    • *Laughs in ironic*

      The dearly-departed infosec boss at my place pretty much mandated MS teams, and cowed the dearly-departed Director into trying to force it onto us.. but the rest of us stayed on something else. But.. notice those two are goners, some time ago, and we're not.

      Now, that Something Else's probably full of holes too, but hey -- at least it didn't get called out for being horribly insecure.

      Or maybe it has. Oh who cares at this point.

      If the Exchange ownage wasn't enough to sour people on MS, not

      • I work for a vast corporation, headquartered in the US that you have probably heard of and we are in the middle of a project to move everything into Microsoft's cloud. Everything.

        Teams is our most-used means of communicating. Yes, I know.

        Do I care? No, why would I?

    • by gmack ( 197796 )

      Tell me about it. If someone has screen sharing open, I can only view the content if I drag the teams window to the left monitor. Screen sharing draws under or over other windows that happen to be sharing the same screen leaving a garbled mess where the windows overlapped. Weird random shadows that go away if I drag other windows farther from the screen sharing window. I don't know if it's teams in general or some weird interaction with Citrix, but I hate it.

      • Re:Teams is Crap (Score:4, Informative)

        by Junta ( 36770 ) on Wednesday September 14, 2022 @07:24PM (#62882943)

        Also, when someone shares their screen and they want to let you control but you aren't running the Windows client? Tough luck, not going to happen. Which is a *bizarre* restriction, a web element can just as easily receive mouse and keyboard events. But let's say that you do control...

        Ok, you want to hit tab completion, whoops, that just goes to another element. A number of common keyboard shortcuts you might want to use on the target display, teams intercepts and does weird things...

        And a simple one, if I hit ctrl-shift-c (my terminal copy shortcut) but accidentally have Teams open, well I just immediately called whatever chat window happened to have focus without so much as a confirmation. Every couple of days a big chat room obnoxiously calls me because some random person made the mistake of hitting ctrl-shift-c again...

        Oh yes, I remember a conversation and need it, let me search the text, click on it hoping to bring me to the point in history where it came up, nope, it just shows me a *single* text with no ability to navigate to the context...

        I'm going to attach a file, I navigated several directories deep and accidentally clicked the wrong one... whoops I'll just go to the parent directory... nope, no parent directory option in their bespoke file chooser, you have to start over. Instead of using a standard file chooser, they rolled one from scratch that can't even navigate up a directory...

        Then of course there's the *atrocious* scroll performance. You start scrolling into history and it just is mind numbingly slow...

        But since the company pays for Office365 *anyway*, well, what sense would it make to use anything else? We are all just whiners and should be happy with this blessing from Microsoft...

    • Well, maybe with the exception of Slack itself. Slack thinks it can somehow replace email. https://www.cnbc.com/2019/06/2... [cnbc.com] Yet Slack still relies on email to establish new conversations outside the company. https://www.lifewire.com/will-... [lifewire.com].

      Teams and Slack both have their issues, but as a regular Teams user and former Slack user, I can see Teams improving by leaps and bounds. In recent months, most of the really annoying problems have been resolved. I'm not sure Slack can afford the development team neces

    • by Bert64 ( 520050 )

      Slack costs extra, a free alternative like rockletchat requires servers, expertise and admin overhead to run... Many companies are already locked in to MS services, so teams comes for free. If not for this, i doubt many places would be using it at all.

      With this being the primary driver of their userbase, why would they bother to improve anything? They don't need to try and compete on functionality..

    • by AmiMoJo ( 196126 )

      I really can't understand how Teams is so shit, TBH. Presumably it is used widely at Microsoft, so you would have thought that the developers would have had plenty of motivation to make it suck less. Despite that even the most basic functions don't work, like scrolling as new messages are posted. It's like some amateur hour student project written in Visual BASIC.

  • Meh (Score:5, Informative)

    by magamiako1 ( 1026318 ) on Wednesday September 14, 2022 @06:31PM (#62882845)
    Token attacks are nothing new and it's a long-known issue with browser-based and web-based authentication. I don't see why anybody is surprised. In fact, it was only last year that EA Games was hacked via Slack session cookies. Yet for some reason nobody lambasts Slack for that hack. How many web application developers implement continuous session token verification schemes? Next to none--because it requires application integration of the authentication platform (See: Okta Continuous Access/Microsoft Continual Access Evaluation).

    Either way, these mechanisms *built into Teams* should be useful to limit or prevent someone from using the token away from the device itself--assuming you've enabled decent Conditional Access policies. You can, of course, always revoke the token from AzureAD as well if compromise is detected.

    Perhaps I should work on this and explain how these tools work together.
    • by gweihir ( 88907 )

      Well, tokens used for authentication can be stolen if you sit on the client. There is really nothing that can be done about it. The token not being encrypted seems like a red herring. As long as the application can use it, so can anybody that has compromised the machine. You can probably limit it to that specific system using TPM, but that is about it.

      • Yeah. I mean thatâ€(TM)s where something AzureADâ€(TM)s CAE comes into play. And requiring compliant devices. Because it literally ties the token to the device at that point. There might be a very small period of time the token is useful off the device; but thatâ€(TM)s likely regardless of platform.

        The only way to â€oeguarantee†this is every single chat message be sent by requiring proof of presence with like a
    • TFA even says:

      Information stealers are already doing this for other applications, such as Google Chrome, Microsoft Edge, Mozilla Firefox, Discord, and many more.

      Then it goes on to give the recommendation that users switch to the browser version of Teams. Huh? Meh indeed.

  • Best practice is to have all 'admin' roles as cloud-only unlicensed users, meaning they can't sign in to teams at all. You're following best practice right?
  • A bit of a yawn.. (Score:5, Informative)

    by Junta ( 36770 ) on Wednesday September 14, 2022 @07:17PM (#62882929)

    This attack does not require special permissions

    Well, other than already having the permission of the user who is logged in.. They tried to up the scare factor by showing that you can get the client to dump the session token into a self-chat... but to do that you have to already have a token, so that drama doesn't really add anything because if you already have a token, you don't need to get the client to dump out another token for you.

    As a mere mortal application, there's not much they can do to keep a user from accessing his own data, in the state of platforms today. Options are:
    -Require a passphrase each time to start up. Which users will bitch about because that's too inconvenient
    -Have a more restricted set of privileges for a token granted to teams. Problem is the nature of teams is that you pretty much have access to *everything*, so there's not a lot of room for this strategy without defeating the whole point
    -Integrate with keyrings, where detected. This would be a decent idea, though a huge chunk of their target market wouldn't be set up for anything reasonable. In many cases this simply moves the problem and ultimately an attacker with the privilege to read the on-disk data can ultimately read the private key or at least ask the keyring for the same data as the application would ask. A keyring can mitigate this by requiring approval for each release of a key, to make it obvious that something is asking, but then users would have to recognize that Teams wouldn't just do that randomly for no reason...

    As a platform, these things can be mitigated further. Having a more restricted mount namespace with a designated place that is not expected to be available to all applications.

    • by gweihir ( 88907 )

      But really, if an attacker has compromised the system, they can already do everything they want. You cannot protect a token that a user can use against an attacker that can impersonate the user. The complaint about the token being non-encrypted seems to be completely meaningless as encryption would add exactly nothing here.

      • by Junta ( 36770 )

        So for one there's the fact the token is on disk and what if disk was swiped. Well, if you are using something like LUKS or BitLocker, you are golden, so this is of course the simple answer for that and the application doesn't need to care. This is a good practice that together with sealing to TPM pcrs can be both convenient and credibly secure (sealing to the right pcrs means that even if attacker has both tpm and drive, they'd need to let the boot progress normally, meaning no booting a rescue disk, no

  • The number of my users that got personal information leaked or took a risk of getting information leaked from my self-hosted instance....was zero.

  • by Gabest ( 852807 )

    The token is basically the second factor, it's only identifiying the device you have, not something that only you personally know, which would be the password itself.

    • What password?

      Oh, you mean that SSO pass-through token that my device passes on as a password?

      • Doesn't the authentication token change every few minutes? It also requires device administrator access to access the files, no?
  • The article says:

    Electron does not support encryption or protected file locations by default, so while the software framework is versatile and easy to use, it is not considered secure enough for developing mission-critical products unless extensive customization and additional work is applied.

    Electron apps can call Windows APIs. Yes, it is difficult since it is based on Node/Javascript, but there's plenty of ways to do it. If they needed to cache a token on disk they should have used the platform-specific APIs that are designed for this purpose. (Windows credential store, Windows data protection API, etc.) Yes, it means the implementation would vary by platform, but boo-hoo. Microsoft could have made a library to wrap that. Better yet, they could have released it since the

The goal of Computer Science is to build something that will last at least until we've finished building it.

Working...