 Tommy here from Orange Systems and is there a flaw in Microsoft Teams that lets people steal authorization tokens out of clear text or is that clickbait? The answer is yes to both questions and let me explain. The problem is clickbait is well the way you sometimes get people to click on a headline or when Tom's really sitting there reading his phone when he first wakes up in the morning which is the time I like to flip through the news and maybe not read as in-depth as I should so I instantly decided to make a video to address this because I think it's an important fundamental for how we think about security and sometimes how we overhype a problem sometimes when I'm the one maybe overhyping or at least participating in this bleeping computer article but let's talk about why it is a security flaw it is a big deal but is it a big deal that you should be aware of but the flaw exists in much more than Teams. Teams is a great grabber for the headline but being able to pull authorization tokens out of clear text from the memory is the way a lot of this stuff just works so I'm in here to raise awareness to how this functions and just kind of do a quick demo and leave some links so you can chess this for yourself. Now for those of you that haven't seen the article too long didn't read here it is Microsoft Teams stores all tokens as clear text in Windows Linux and Mac this is published on September 14th of 2022 tweeted by me on September 15th 2022 early in the morning moving on security analysts have found a severe security vulnerability in the desktop app for Microsoft Teams that gives threat actors access to authentication and accounts with multifactor authentication turned on this is the part where we get you engaged and interested because yeah that would be bad if someone were able to extract those things but this tech does not require special permissions not a clickbait title advanced malware to get away with major internal damage well yeah you could definitely call some damage the problem is upon review it was determined that these access tokens were active and not an accidental dump of previous these access tokens gave privilege outlooks safe apis blah blah more people joining in doing statements to validate all of this finally Vectra developed the exploit by doing an api call sending messages to oneself using SQLite engine all the things you want to do but this is where things get a little bit broader I want people think about the security topic on this and because after I posted this right here Marcus I believe I say his name Maciel I'm not sure at under Linux easy to file leave a link to this but he pointed out and was very correct I'm actually very glad thank you Marcus for calling me out on this it really you know because very many some people complaining about Microsoft because the dog piling will definitely happen for people understanding if you have cookies and session valid you also don't need MFA and main services so he is a security researcher and did a great job of bringing it up to me pointing out something I should have seen obviously and he's also I assumed there were better browser mitigations against this and that's because over here under risk mitigation they do have while the patches only can be released here's some recommendations things to do for those who can't move to a different solution they can create a monitoring rules discover processes actually and finally directories etc and this is where let's actually show you how it works real quick so I want to give a technical demo before I do a summary and we're going to do that using process hacker I'll leave a link to this down below and I'll also leave a link to just a quick article kind of explaining process hacker and how to extract things on memory and then this really quickly show you how easy this is to pull something out of well chrome but in certain name of your favorite browser firebox chrome all of these are storing certain amounts of things and memories a matter of figuring out where those memory locations are now one thing that was correct is the storing of these in browsers is done a little bit differently but let's just show you something really quick now we're going to log into my forums and we're some user at some user dot com we have our super secret password dot com and what we're going to do is just you know paste that right in and right click login oh wait that one doesn't work but where was that information put we're going to find it in process explorer by going to filter for chrome double click we're going to go over to the memory here we're going to switch to strings it okay we're going to filter for contains this oh look now relating this directly back is a little hard because you don't really have anything more than a bunch of different places and memory addresses where this piece of information was stored but you can see it's in there and this is where the details matter and they get a little bit convoluted the chromium browser which is what the base is for google chrome edge and a few others does have some obfuscation techniques i didn't dive into every detail of them so while yes your usernames or tokens may be stored within memory they're not exactly going to be really easy to get kind of the flaw as i understand it and you know there's still something to be thought about here with it teams there's a lot going on in browser i'm logged into well i didn't give in time at least 20 different websites or many of you if not more but those auth tokens because you authorize them they held the token and they allow you to browse these different pages or use these different online services your 2fa bypass is a serious concern there because well i can't get your 2fa you're using insert name of whatever 2fa you're using but your session toky that says you're logged in that session token that whole system if that can be pulled extracted understood and then used in another browser that would make you look like you logged in at browser where i do see a little bit of a problem is when you use separated apps and this is actually even for things like slack i use that in a browser not as a separate electron app or teams if you're using it and i don't really use teams much but when i do i do my conversations within the browser i do it all in a browser rather than electron app because targeting an electron app because it's a separate app that's kind of like a browser wrapped into something that looks like an app the problem you're going to run to using that is it's a target i know exactly what tokens are in chrome is a large attack surface and has to be sorted out and if they're doing some memory obfuscation because they're putting it around i may know where token is but i may not know what that token belongs to it's something that has to be assembled and like i said there's some obfuscation going on when i open up an electron app that runs microsoft teams for example the only thing in that electron app is going to be microsoft teams so once i know the location of the off token i may be distracted so yes this is a security fall but it's also a little bit of clickbait because once someone has a local access to the computer you have to assume they're going to gain to whatever privileges that user has whatever sites that users logged into so while it's kind of clickbait it's also kind of just eye opening and that's why i did it this way and we'll leave those links down below so you can kind of poke around and this is how security research starts and maybe another one of you will go i was curious how this worked i got to play with process explore now i have a better understanding of it and it'll send you down the rabbit hole of starting to understand the complexities of security the complexities of these topics and maybe give you a better understanding of them so links to the things i talked about down below the blp computer article gives you a lot to think about the playing with what's in the browser and what's in the memory a lot to think about and by the way keep playing with things like process explore and start pivoting out and figuring out what is stored where for which process and which memory because i just think is a great learning experience thank you for watching and join me in the forums for to say hi say hi on twitter call me out every time i do this and thanks to marcus for kind of inspiring this a little bit uh follow him on twitter he's a smart guy all right thanks and thank you for making it all the way to the end of this video if you've enjoyed the content please give us a thumbs up if you would like to see more content from this channel hit the subscribe button and the bell icon if you like to hire a short project head over to laurance systems dot com and click the hires button right at the top to help this channel out in other ways there's a join button here for youtube and a patreon page where your support is greatly appreciated for deals discounts and offers check out our affiliate links and description of all our videos including a link to our shirt store where we have a wide variety of shirts that we sell and designs come out well randomly so check back frequently and finally our forums forums dot laurance systems dot com is where you can have a more in-depth discussion about this video and other tech topics covered on this channel thanks again for watching and look forward to hearing from you