Microsoft Teams stores login tokens in plain text

Security researchers from Vectra I discovered that Microsoft Teams stores login tokens in plain text, so-called authentication tokens. Malicious people who gain access to these tokens can use them to log into the victims’ account. The researchers encountered the security risks in August and subsequently reported it to Microsoft. Remarkably, the company acknowledges this discovery, but at the same time indicates that the vulnerability cannot be resolved urgently. The software giant says it is considering offering a solution in a future version of Teams.

Network user access

Vectra contradicts Microsoft’s claim and believes the leak should be fixed quickly. For example, researchers cited the leak of tokens for high-ranking employees. After the leak, malicious parties could log into the Microsoft accounts of these employees without the need for 2FA codes and retrieve the company’s sensitive data. To retrieve the tokens, malicious parties only need to access the users’ computers. This contains the file with the plain text tokens.

The software giant cites this as a reason to give the vulnerability a low priority. After all, to gain access to the plaintext tokens, malicious parties must have already penetrated the local networks or the user’s computer. In principle, malicious parties can access all user data on these computers from that moment on. Because you can’t just access other people’s network, Microsoft has expanded the severity of the data breach, it says sleeping computer.

Until Microsoft releases a solution for the Teams desktop app, Vectra recommends users switch to the browser version of the connectivity service. This version will be more able to protect users’ tokens. Specifically, she recommends using the web variant in the Edge browser.