Microsoft Teams has been storing authentication tokens in plaintext

Microsoft downplayed the flaw saying it 'does not meet our bar for immediate servicing.'

Sponsored Links

Steve Dent
September 16, 2022 5:35 AM
UKRAINE - 2021/06/26: In this photo illustration a Microsoft Teams logo is seen on a smartphone and a pc screen. (Photo Illustration by Pavlo Gonchar/SOPA Images/LightRocket via Getty Images)
SOPA Images via Getty Images

Microsoft Teams stores authentication tokens in unencrypted plaintext mode, allowing attackers to potentially control communications within an organization, according to the security firm Vectra. The flaw affects the desktop app for Windows, Mac and Linux built using Microsoft's Electron framework. Microsoft is aware of the issue but said it has no plans for a fix anytime soon, since an exploit would also require network access.

According to Vectra, a hacker with local or remote system access could steal the credentials for any Teams user currently online, then impersonate them even when they're offline. They could also pretend to be the user through apps associated with Teams, like Skype or Outlook, while bypassing the multifactor authentication (MFA) usually required. 

"This enables attackers to modify SharePoint files, Outlook mail and calendars, and Teams chat files," Vectra security architect Connor Peoples wrote. "Even more damaging, attackers can tamper with legitimate communications within an organization by selectively destroying, exfiltrating, or engaging in targeted phishing attacks."

Turn on browser notifications to receive breaking news alerts from Engadget
You can disable notifications at any time in your settings menu.
Not now

Attackers can tamper with legitimate communications within an organization by selectively destroying, exfiltrating, or engaging in targeted phishing attacks.

Vectra created a proof-of-concept exploit that allowed them to send a message to the account of the credential holder via an access token. "Assuming full control of critical seats–like a company’s Head of Engineering, CEO, or CFO — attackers can convince users to perform tasks damaging to the organization."  

The problem is mainly limited to the desktop app, because the Electron framework (that essentially creates a web app port) has "no additional security controls to protect cookie data," unlike modern web browsers. As such, Vectra recommends not using the desktop app until a patch is created, and using the web application instead.

When informed by cybersecurity news site Dark Reading of the vulnerability, Microsoft said it "does not meet our bar for immediate servicing as it requires an attacker to first gain access to a target network," adding that it would consider addressing it in a future product release. 

However, threat hunter John Bambenek told Dark Reading it could provide a secondary means for "lateral movement" in the event of a network breach. He also noted that Microsoft is moving toward Progressive Web Apps that "would mitigate many of the concerns currently brought by Electron."

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission. All prices are correct at the time of publishing.
Popular on Engadget