Microsoft Teams stores cleartext auth tokens, won’t be quickly patched
Microsoft’s Teams client stores users’ authentication tokens in an unprotected text format, potentially allowing attackers with local access to post messages and move laterally through an organization, even with two-factor authentication enabled, according to a cybersecurity company.
Vectra recommends avoiding Microsoft’s desktop client, built with the Electron framework for creating apps from browser technologies, until Microsoft has patched the flaw. Using the web-based Teams client inside a browser like Microsoft Edge is, somewhat paradoxically, more secure, Vectra claims. The reported issue affects Windows, Mac, and Linux users.
Microsoft, for its part, believes Vectra’s exploit “does not meet our bar for immediate servicing” since it would require other vulnerabilities to get inside the network in the first place. A spokesperson told Dark Reading that the company will “consider addressing (the issue) in a future product release.”