Microsoft Teams for Windows, macOS and Linux insecurely stores authentication tokens in unprotected cleartext -- and a fix is NOT in the pipeline
Researchers from cybersecurity firm Vectra have issued a warning that Microsoft Teams stores authentication tokens in an unprotected form that could easily be abused by hackers.
The desktop apps for Windows, macOS and Linux all store authentication tokens in cleartext, and this can be used by an attacker to steal an identity and log into accounts. This is clearly worrying, but what is more concerning is Microsoft's reaction; the company says that the issue does not require "immediate servicing".
- Microsoft releases PowerToys v0.62.1 to fix various bugs
- Microsoft issues patch for serious security vulnerability affecting everything from Windows 7 to Windows 11
- Microsoft introduces 'update under lock' so Microsoft 365 apps can be updated without users interruption
The issue was discovered last month by researchers from Vectra's Protect team. Described as an "attack path that enables malicious actors with file system access to steal credentials for any Microsoft Teams user who is signed in", the attack can be performed without the need for elevated privileges.
The problem stems from the fact that Teams is an Electron-based app, and there is no support for encryption.
Writing about its findings, Vectra says:
Our research discovered that the Microsoft Teams App stores authentication tokens in cleartext. With these tokens, attackers can assume the token holder's identity for any actions possible through the Microsoft Teams client, including using that token for accessing Microsoft Graph API functions from an attacker's system. Even worse, these stolen tokens allow attackers to conduct actions against MFA-enabled accounts, creating an MFA bypass.
Microsoft is aware of this issue and closed the case stating that it did not meet their bar for immediate servicing. Until Microsoft moves to update the Teams Desktop Application, we believe customers should consider using the web-based Teams application exclusively. For customers who must use the installed desktop application, it is critical to watch key application files for access by any processes other than the official Teams application.
As Microsoft is in no rush to fix the potentially very serious issue, the advice from Vectra is clear -- stop using the Teams app:
We do not recommend using the full Microsoft Teams client until Microsoft patches this issue effectively. Use the web-based Teams client inside Microsoft Edge, which has multiple OS-level controls to protect token leaks. Fortunately, the Teams web application is robust and supports most features enabled through the desktop client, keeping organization productivity impacts to a minimum.
Once Microsoft has updated the Electron Teams applications, it is still critical to move to a high-restriction model for preventing the installation of unauthorized Teams Apps, bots, connectors, etc.
For Linux users, this is the recommended path full stop as Microsoft has announced the end of life for Teams for Linux by December 2022.
You can read more details of the security vulnerability in Vectra's blog post.