Microsoft Teams Local Information Disclosure in Windows, Linux, and macOS

Information has recently been disclosed regarding a method an attacker can use to gain access to a Microsoft Teams or Skype account even with MFA turned on. Microsoft Teams is a communications platform that comes included with Microsoft 365 and is used in workplaces around the world for real-time collaboration and communication, video-conferencing, and file and app sharing and is used by over 270 million users around the world. According to information disclosed by security firm Vectra, the issue in question is that the desktop application versions of Microsoft Teams store access token on disk in clear text. Keep in mind, that an attacker must already have access to the local file system to get this information so this is a method an attacker could use potentially for lateral phishing or to gain access to confidential information stored in Teams.

Microsoft Teams is developed on a framework called Electron. Electron is a framework enabled Node.js and Chromium that allows a developer to build desktop application using web technology such as JavaScript, HTML, and CSS by running the web application inside a custom Chromium-based browser. Since the Teams application is essentially a web app running in a browser, the built-in web browser requires traditional browser data such as cookies.

Microsoft Teams is essentially a conglomeration of other M365 services that rely on Skype, SharePoint, and Outlook using the Microsoft Graph API. After a user logs in to Teams (after MFA), an access token is created. The access token is a temporary token with a default useful lifetime between 60-90 minutes generated by the Microsoft identity platform. An access token is how an application verifies which permissions a user has while they are using the application. Essentially, it is how you remain logged in to the application without having to re-authenticate for every action you perform. Depending on your configuration, before the token expires it can perform a “silent” login to gain a new token with a new expiration time. If you have access to a current, valid access token, it can be used to access the Graph API directly and thereby used to perform actions as the user who owns the token. Because the access token is created after a user authenticates, including MFA, this information could be used as an MFA bypass.

Gaining access to the token does require file system access of a user who has already authenticated to Teams and the token has a limited shelf-life (on average about 75 minutes). For these reasons, Microsoft closed the case submitted by Vectra telling them it did not meet their standard for “immediate servicing.” Since there is no fix coming from Microsoft anytime soon, Vectra recommends using the browser-based version of Teams rather than the desktop application. Modern web-browsers use native OS tools to secure and encrypt cookie content since access token are common programming techniques and used by many web applications and they must be stored somewhere locally to be used.

Overall, this is not a critical vulnerability though we could start seeing threat actors adding this technique to their toolchain even possibly creating a tool similar to Mimikatz. That being said, plenty of existing infostealer malware in-the-wild today can also access encrypted browser data for post-exploitation and lateral movement. The fact that Teams stores the access token in clear-text doesn’t change anything significantly, but just saves threat actors a step.