cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Caute_cautim
Community Champion

So who works within Microsoft TEAMS everyday?

Hi All

 

A bit disturbing:

 

Security analysts have found a severe security vulnerability in the desktop app for Microsoft Teams that gives threat actors access to authentication tokens and accounts with multi-factor authentication (MFA) turned on.

Microsoft Teams is a communication platform, included in the 365 product family, used by more than 270 million people for exchanging text messages, videoconferencing, and storing files.

 

https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-wi...

 

https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens

 

Its a field day for the Hacking community!!

 

Regards

 

Caute_Cautim

 

 

3 Replies
JoePete
Advocate I

Interesting. While Teams predated the pandemic, I suspect there was a lot of pressure to pump out new releases during Covid, and maybe some steps were skipped.

 

If I read correctly, this only impacts the desktop app and requires local access. The big flaw is a combination of the tokens are stored in clear text, in non-protected space, and can be re-used. All this points toward using the Electron framework, which is basically JavaScript - client-side scripting. JavaScript is useful for building non-essential functionality, but confidentiality and integrity are inherently difficult to ensure with it. The problem is these script frameworks are popular because it is an easy way to make cross-platform "applications." Again, I suspect market pressure pushed them in this direction.

 

As to Microsoft's "no big deal" response. While it is true, that a pre-requisite compromise would have to happen (an attacker get access to local files), this has been the problem that has plagued Microsoft for seemingly decades. Their model is all about integration - between applications but also between those applications and the OS. While it can work, and is working much better today than years ago, it is still a bit of Tootsie-Pop design where if an attacker can crack the thin, hard shell, it's all soft and gooey inside.

denbesten
Community Champion

Would be helpful if the reports included the CVE number and the CVSS score.  A few quick searches yielded neither. Based on my reading of the article, I would classify it as "session hijacking requiring local access" and estimate the CVSS at about 6.1 (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L/E:U/RL:W/RC:C).  

 

The vendor response does have a dismissive tone that is probably playing into the hype, but knowing that "Teams 2.0" will not be using Electron, I do see where they are headed.  Now if we could just get a release date for Teams for Business 2.0.

 

The technique described does not meet our bar for immediate servicing as it requires an attacker to first gain access to a target network. We appreciate Vectra Protect’s partnership in identifying and responsibly disclosing this issue and will consider addressing in a future product release.

 

denbesten
Community Champion


@JoePete wrote:

Tootsie-Pop design....


So 4 layers of defense to protect against the 3-lick attack vector.