PSA: Don't use Teams on shared devices

Forums › IT Pro and developers › PSA: Don't use Teams on shared devices

Lias

5250 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#300522 15-Sep-2022 12:56

https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens

TL;DR, Teams auth tokens are stored unencrypted and accessible by any user of a machine, even non privileged users.

I'm a geek, a gamer, a dad and an IT Professional. I have a full rack home lab, size 15 feet, an epic beard and Asperger's. I'm a bit of a Cypherpunk, who believes information wants to be free and the Net interprets censorship as damage and routes around it.

1 | 2

3583 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#2968611 15-Sep-2022 13:03

Wow. Thanks for posting this.

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

Referral links to services I use, really like, and may be rewarded if you sign up:
PocketSmith for budgeting and personal finance management. A great Kiwi company.

Norton

Get easy to use, easy to install Norton antivirus protection against advanced online threats (affiliate link).

MikeB4

18134 posts

Uber Geek

ID Verified

Trusted

Subscriber

#2968619 15-Sep-2022 13:22

Thanks heaps for that

amanzi

Amanzi
1149 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#2968620 15-Sep-2022 13:26

"accessible by any user of a machine, even non privileged users" I don't believe this is true, but happy to be proved wrong. The token should be stored in the user profile and only that user would have access to it. An administrator on the machine would be able to get to it, but that's by design and is part of the trust model of having administrator rights. Perhaps encrypting the file would be a good idea, but there are lots of tokens stored in a user profile that contain sensitive data.

Beccara

1467 posts

Uber Geek

ID Verified

#2968627 15-Sep-2022 13:45

Until I see something else I agree with Amanzi, the folders they are telling you to monitor are within user profiles. You'd need local admin priv's to gain access without using another privesc vuln.

It's certainly could evolve into something that can be drive-by'ed but right now you'd need access and other vulns

Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated

gzt

15224 posts

Uber Geek

Lifetime subscriber

#2968661 15-Sep-2022 15:15

Lias: PSA: Don't use Teams on shared devices. TL;DR, Teams auth tokens are stored unencrypted and accessible by any user of a machine, even non privileged users.

Microsoft announced some time ago they were dropping Electron. Based on previous statements from Microsoft I'm thinking the built in Windows 11 Teams does not use Electron at all.

gzt

15224 posts

Uber Geek

Lifetime subscriber

#2968668 15-Sep-2022 15:33

There are a number of claims in that article. I skimmed. On a W10 system I examined "Session Storage" in the user profile is permissioned appropriately for a managed machine.

Ruphus

398 posts

Ultimate Geek

#2968675 15-Sep-2022 15:51

TBH, if an attacker had local or remote access to the file system (which is required to get a hold of these tokens), there's other issues that need to be addressed first.

Beccara

1467 posts

Uber Geek

ID Verified

#2968676 15-Sep-2022 15:55

Yeah it's not a point of entry, could be used for lateral movement but so could a keylogger at that point.

plas

425 posts

Ultimate Geek

#2968680 15-Sep-2022 16:03

Beccara:

Yeah it's not a point of entry, could be used for lateral movement but so could a keylogger at that point.

Better option would be to grab the browser profiles.

Lias

5250 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#2968753 15-Sep-2022 18:18

amanzi:

"accessible by any user of a machine, even non privileged users" I don't believe this is true, but happy to be proved wrong. The token should be stored in the user profile and only that user would have access to it. An administrator on the machine would be able to get to it, but that's by design and is part of the trust model of having administrator rights. Perhaps encrypting the file would be a good idea, but there are lots of tokens stored in a user profile that contain sensitive data.

"an attack path that enables malicious actors with file system access to steal credentials for any Microsoft Teams user who is signed in. Attackers do not require elevated permissions to read these files, which exposes this concern to any attack that provides malicious actors with local or remote system access"

gzt

15224 posts

Uber Geek

Lifetime subscriber

#2968756 15-Sep-2022 18:33

Lias:/Article: Attackers do not require elevated permissions to read these files

This part is not explained unless I missed it in the text. The article names browser cache and Teams/Electron appdata "session cookies" SQLite file. As standard in Win 10 both directories restrict access to the named user, admin user and system user.

nztim

2840 posts

Uber Geek

ID Verified

Trusted

TEAMnetwork

Subscriber

#2968759 15-Sep-2022 18:48

using the browser version inside incognito is okay other than that no no no and no

Any views expressed on these forums are my own and don't necessarily reflect those of my employer.

mwh

43 posts

Geek

#2968763 15-Sep-2022 19:17

Lias:

"an attack path that enables malicious actors with file system access to steal credentials for any Microsoft Teams user who is signed in. Attackers do not require elevated permissions to read these files, which exposes this concern to any attack that provides malicious actors with local or remote system access"

i.e. attackers who have access to the running user account do not need to elevate permissions to read files owned by the running user account. There are certainly more-protected ways to store credentials, but this article is hyperbolic clickbait (and there's nothing to do with shared devices or multiple users even then).

amanzi

Amanzi
1149 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#2968776 15-Sep-2022 19:56

Lias:

"an attack path that enables malicious actors with file system access to steal credentials for any Microsoft Teams user who is signed in. Attackers do not require elevated permissions to read these files, which exposes this concern to any attack that provides malicious actors with local or remote system access"

As I and others have pointed out in this thread you're getting confused with the threat, and the inflammatory way this article is written is not helping. The tokens are only accessible by the user that created the token, or someone with administrator privileges to the computer. You started this thread with a title that said, "Don't use Teams on shared devices" and then you made a claim that these tokens are "accessible by any user of a machine, even non privileged users". But that is absolutely not true and can easily be verified by anyone who is using Teams by checking the file permissions of the files mentioned in the article. On a Windows machine these tokens are stored in the %APPDATA% directory which is only accessible by the logged-on user (and an administrator account). So a non-privileged user would not be able to access another user's token on a shared device. I haven't tested this on Linux or macOS so I can't say for sure, but I know the default behaviour on either of these operating systems is that anything inside the home directory is only accessible by that user.

gzt

15224 posts

Uber Geek

Lifetime subscriber

#2968823 15-Sep-2022 20:46

Based on the file locations provided at the end of the article - "Attackers do not require elevated permissions to read these files" - the only thing that could make that statement true based only on the other information provided is creation of non-standard non-default user profile directories. I expect that sometimes occurs for administrative reasons relating to profile management.

1 | 2