Researchers on Tuesday reported that this past August they identified an attack path that lets malicious actors with file system access to steal credentials for any Microsoft Teams user who’s logged-on.
In a Sept. 13 blog post, the Vectra Protect team said because attackers do not require elevated permissions to read these files, it exposes this potential concern to any attack that provides malicious actors with local or remote system access.
The researchers said this vulnerability impacted all commercial and Government Community Cloud Desktop Team clients for Windows, Mac and Linux.
Microsoft has been made aware of this issue and closed the case in late August, stating that it did not meet its bar for immediate servicing. The Vectra researchers said until Microsoft moves to update the Teams Desktop Application, they don’t recommend using the full Teams client and advise customers to consider using the web-based Teams application exclusively.
The researchers said security teams should use the web-based Teams client inside Microsoft Edge, which has multiple OS-level controls to protect token leaks. They said the Teams web application is robust and supports most features enabled through the desktop client, keeping the organization’s productivity impacts to a minimum. For customers that must use the installed desktop application, the researchers said it’s critical to watch key application files for access by any processes other than the official Teams application.
When asked Thursday if the situation had changed, Aaron Turner, CTO, SaaS Protect at Vectra, said to the Vectra team’s knowledge, Microsoft had not changed its stance.
Turner said in Vectra’s interactions with customers, only those organizations with extreme exposure to sophisticated adversaries (defense contractors, critical infrastructure operators) are seriously considering eliminating the Teams.exe application on endpoints and forcing users to collaborate through Teams via a managed browser. Turner said most of the organizations he has talked to plan on implementing an endpoint detection and response monitoring policy to watch for any situations of unauthorized access by a system process to the file storage locations where the tokens are stored.
“With hundreds of millions of monthly users, Microsoft Teams has become a significant part of today’s new remote work reality,” Turner said. “As a result of its market share, and the role that the platform plays in both commercial, non-profit and government collaboration, attackers will focus on the entire Teams ecosystem to find ways to compromise identities and gain unauthorized access to data shared through Teams.”
Turner added that the work Vectra’s Connor Peoples spearheaded to discover this vulnerability and coordinate his findings with Microsoft is part of Vectra's efforts to help make the Microsoft 365 ecosystem a safer and fairer place for any organization to communicate and collaborate. As outlined in the research, Turner said there are some improvements that Microsoft can make to shore up the Electron application for Windows and MacOS. He said those improvements should also help prevent future vulnerabilities, such as other recently disclosed problems relating to XSS attacks and potential command and control activity using GIFs.
“We echo the guidance from other security researchers that until the Teams Electron application is significantly improved, it is safer to use Microsoft Teams through a managed browser,” said Turner.
Sammy Migues, principal scientist at Synopsys Software Integrity Group, said like every application framework, Electron has its own idiosyncrasies related to authentication, secure file storage, and communications. Migues said development teams use frameworks for the same reason they use lots of other open source — it makes their jobs easier and faster. On the other hand, even security-aware teams might not understand what’s really going on in the depths of the framework they’re using. Migues said In this case, it appears that Electron might save some sensitive data in an insecure way.
“Note that Electron is no stranger to security issues,” Migues said. “Last month saw another bug in Electron that could cause issues in apps from Microsoft, Discord, BaseCamp, and others. There was also a bug last year. As more people investigate Electron, there will almost certainly be more issues uncovered. Could Electron do more around security? Absolutely. Is it Electron’s fault that application teams use it in certain ways that exposes certain information despite Electron’s limitations? Well, not really.”