Microsoft Teams stores cleartext auth tokens, won’t be quickly patched

Enlarge / Using Teams in a browser is actually safer than using Microsoft’s desktop apps, which are wrapped around a browser. It’s a lot to work through. (credit: Jernej Furman / Flickr)

Microsoft’s Teams client stores users’ authentication tokens in an unprotected text format, potentially allowing attackers with local access to post messages and move laterally through an organization, even with two-factor authentication enabled, according to a cybersecurity company.

Vectra recommends avoiding Microsoft’s desktop client, built with the Electron framework for creating apps from browser technologies, until Microsoft has patched the flaw. Using the web-based Teams client inside a browser like Microsoft Edge is, somewhat paradoxically, more secure, Vectra claims. The reported issue affects Windows, Mac, and Linux users.

Microsoft, for its part, believes Vectra’s exploit “does not meet our bar for immediate servicing” since it would require other vulnerabilities to get inside the network in the first place. A spokesperson told Dark Reading that the company will “consider addressing (the issue) in a future product release.”

Read 6 remaining paragraphs Comments