Microsoft Teams Stores Auth Tokens As Cleartext In Windows, Linux, Macs (bleepingcomputer.com) 32
Security analysts have found a severe security vulnerability in the desktop app for Microsoft Teams that gives threat actors access to authentication tokens and accounts with multi-factor authentication (MFA) turned on. BleepingComputer reports: "This attack does not require special permissions or advanced malware to get away with major internal damage," Connor Peoples at cybersecurity company Vectra explains in a report this week. The researcher adds that by taking "control of critical seats -- like a company's Head of Engineering, CEO, or CFO -- attackers can convince users to perform tasks damaging to the organization." Vectra researchers discovered the problem in August 2022 and reported it to Microsoft. However, Microsoft did not agree on the severity of the issue and said that it doesn't meet the criteria for patching.
With a patch unlikely to be released, Vectra's recommendation is for users to switch to the browser version of the Microsoft Teams client. By using Microsoft Edge to load the app, users benefit from additional protections against token leaks. The researchers advise Linux users to move to a different collaboration suite, especially since Microsoft announced plans to stop supporting the app for the platform by December.
With a patch unlikely to be released, Vectra's recommendation is for users to switch to the browser version of the Microsoft Teams client. By using Microsoft Edge to load the app, users benefit from additional protections against token leaks. The researchers advise Linux users to move to a different collaboration suite, especially since Microsoft announced plans to stop supporting the app for the platform by December.
Teams is Crap (Score:5, Funny)
M$ Teams is probably the worst slack clone ever, it really sucks balls...
Re: (Score:3)
*Laughs in ironic*
The dearly-departed infosec boss at my place pretty much mandated MS teams, and cowed the dearly-departed Director into trying to force it onto us.. but the rest of us stayed on something else. But.. notice those two are goners, some time ago, and we're not.
Now, that Something Else's probably full of holes too, but hey -- at least it didn't get called out for being horribly insecure.
Or maybe it has. Oh who cares at this point.
If the Exchange ownage wasn't enough to sour people on MS, not
Re: (Score:2)
Teams is our most-used means of communicating. Yes, I know.
Do I care? No, why would I?
Re: (Score:3)
Tell me about it. If someone has screen sharing open, I can only view the content if I drag the teams window to the left monitor. Screen sharing draws under or over other windows that happen to be sharing the same screen leaving a garbled mess where the windows overlapped. Weird random shadows that go away if I drag other windows farther from the screen sharing window. I don't know if it's teams in general or some weird interaction with Citrix, but I hate it.
Re:Teams is Crap (Score:4, Informative)
Also, when someone shares their screen and they want to let you control but you aren't running the Windows client? Tough luck, not going to happen. Which is a *bizarre* restriction, a web element can just as easily receive mouse and keyboard events. But let's say that you do control...
Ok, you want to hit tab completion, whoops, that just goes to another element. A number of common keyboard shortcuts you might want to use on the target display, teams intercepts and does weird things...
And a simple one, if I hit ctrl-shift-c (my terminal copy shortcut) but accidentally have Teams open, well I just immediately called whatever chat window happened to have focus without so much as a confirmation. Every couple of days a big chat room obnoxiously calls me because some random person made the mistake of hitting ctrl-shift-c again...
Oh yes, I remember a conversation and need it, let me search the text, click on it hoping to bring me to the point in history where it came up, nope, it just shows me a *single* text with no ability to navigate to the context...
I'm going to attach a file, I navigated several directories deep and accidentally clicked the wrong one... whoops I'll just go to the parent directory... nope, no parent directory option in their bespoke file chooser, you have to start over. Instead of using a standard file chooser, they rolled one from scratch that can't even navigate up a directory...
Then of course there's the *atrocious* scroll performance. You start scrolling into history and it just is mind numbingly slow...
But since the company pays for Office365 *anyway*, well, what sense would it make to use anything else? We are all just whiners and should be happy with this blessing from Microsoft...
Re: (Score:2)
The strange thing is, there are other web apps that don't even drag their own browser that can handle passing shortcuts through fine. So while I broadly agree with a sentiment that everything as a webapp is a frustrating state of affairs, I think that they could still handle keyboard shortcut passthrough since other web-focused applications seem to manage.
Re: (Score:3)
Well, maybe with the exception of Slack itself. Slack thinks it can somehow replace email. https://www.cnbc.com/2019/06/2... [cnbc.com] Yet Slack still relies on email to establish new conversations outside the company. https://www.lifewire.com/will-... [lifewire.com].
Teams and Slack both have their issues, but as a regular Teams user and former Slack user, I can see Teams improving by leaps and bounds. In recent months, most of the really annoying problems have been resolved. I'm not sure Slack can afford the development team neces
Re: (Score:2)
Slack costs extra, a free alternative like rockletchat requires servers, expertise and admin overhead to run... Many companies are already locked in to MS services, so teams comes for free. If not for this, i doubt many places would be using it at all.
With this being the primary driver of their userbase, why would they bother to improve anything? They don't need to try and compete on functionality..
Re: (Score:2)
I really can't understand how Teams is so shit, TBH. Presumably it is used widely at Microsoft, so you would have thought that the developers would have had plenty of motivation to make it suck less. Despite that even the most basic functions don't work, like scrolling as new messages are posted. It's like some amateur hour student project written in Visual BASIC.
Meh (Score:5, Informative)
Either way, these mechanisms *built into Teams* should be useful to limit or prevent someone from using the token away from the device itself--assuming you've enabled decent Conditional Access policies. You can, of course, always revoke the token from AzureAD as well if compromise is detected.
Perhaps I should work on this and explain how these tools work together.
Re: (Score:2)
Well, tokens used for authentication can be stolen if you sit on the client. There is really nothing that can be done about it. The token not being encrypted seems like a red herring. As long as the application can use it, so can anybody that has compromised the machine. You can probably limit it to that specific system using TPM, but that is about it.
Re: Meh (Score:2)
The only way to â€oeguarantee†this is every single chat message be sent by requiring proof of presence with like a
Re: (Score:2)
Information stealers are already doing this for other applications, such as Google Chrome, Microsoft Edge, Mozilla Firefox, Discord, and many more.
Then it goes on to give the recommendation that users switch to the browser version of Teams. Huh? Meh indeed.
This sucks but shouldn't affect anything of value (Score:2)
Re: This sucks but shouldn't affect anything of va (Score:2)
The people with that kind of talent cost money that most businesses can't afford. And I use the word "talent" loosely because it's really common sense that most IT workers don't seem to have. Do shit work, get shit pay.
Re: (Score:2)
Not true... Unfortunately Teams is integrated with OneDrive, SharePoint and other M$ resources, so having access to Teams opens the door to accessing other systems within the enterprise.
A bit of a yawn.. (Score:5, Informative)
This attack does not require special permissions
Well, other than already having the permission of the user who is logged in.. They tried to up the scare factor by showing that you can get the client to dump the session token into a self-chat... but to do that you have to already have a token, so that drama doesn't really add anything because if you already have a token, you don't need to get the client to dump out another token for you.
As a mere mortal application, there's not much they can do to keep a user from accessing his own data, in the state of platforms today. Options are:
-Require a passphrase each time to start up. Which users will bitch about because that's too inconvenient
-Have a more restricted set of privileges for a token granted to teams. Problem is the nature of teams is that you pretty much have access to *everything*, so there's not a lot of room for this strategy without defeating the whole point
-Integrate with keyrings, where detected. This would be a decent idea, though a huge chunk of their target market wouldn't be set up for anything reasonable. In many cases this simply moves the problem and ultimately an attacker with the privilege to read the on-disk data can ultimately read the private key or at least ask the keyring for the same data as the application would ask. A keyring can mitigate this by requiring approval for each release of a key, to make it obvious that something is asking, but then users would have to recognize that Teams wouldn't just do that randomly for no reason...
As a platform, these things can be mitigated further. Having a more restricted mount namespace with a designated place that is not expected to be available to all applications.
Re: (Score:2)
But really, if an attacker has compromised the system, they can already do everything they want. You cannot protect a token that a user can use against an attacker that can impersonate the user. The complaint about the token being non-encrypted seems to be completely meaningless as encryption would add exactly nothing here.
Re: (Score:2)
So for one there's the fact the token is on disk and what if disk was swiped. Well, if you are using something like LUKS or BitLocker, you are golden, so this is of course the simple answer for that and the application doesn't need to care. This is a good practice that together with sealing to TPM pcrs can be both convenient and credibly secure (sealing to the right pcrs means that even if attacker has both tpm and drive, they'd need to let the boot progress normally, meaning no booting a rescue disk, no
Is anyone surprised? (Score:1)
Not I.
Complain That Jitsi Sucks All You Want (Score:2)
The number of my users that got personal information leaked or took a risk of getting information leaked from my self-hosted instance....was zero.
2FA (Score:2)
The token is basically the second factor, it's only identifiying the device you have, not something that only you personally know, which would be the password itself.
Re: (Score:2)
What password?
Oh, you mean that SSO pass-through token that my device passes on as a password?
Re: 2FA (Score:2)
Re: (Score:2)
Applications that access restricted user data (encryption or access control enforced by the platform or remote system) have these two options:
Ask for the password (or other credential) every time. This might be practical for a command line tool where it doesn't keep any state between invocations, but it's not practical for desktop or web applications where the user interacts with them for more than one action. Asking the user to provide a credential on every action they take is annoying, and will train the
Electron can use the windows data protection APIs (Score:2)
The article says:
Electron does not support encryption or protected file locations by default, so while the software framework is versatile and easy to use, it is not considered secure enough for developing mission-critical products unless extensive customization and additional work is applied.
Electron apps can call Windows APIs. Yes, it is difficult since it is based on Node/Javascript, but there's plenty of ways to do it. If they needed to cache a token on disk they should have used the platform-specific APIs that are designed for this purpose. (Windows credential store, Windows data protection API, etc.) Yes, it means the implementation would vary by platform, but boo-hoo. Microsoft could have made a library to wrap that. Better yet, they could have released it since the