Microsoft Teams is storing authentication tokens in cleartext

Sep 16, 2022

A security vulnerability has been discovered in Microsoft Teams. A report that was published by security firm Vectra, reveals that Microsoft Teams is storing authentication tokens in cleartext.

Microsoft Teams is storing authentication tokens in cleartext
Microsoft Teams security issue

The vulnerability is present in the desktop versions of Teams for Windows, macOS and Linux. Threat actors who have local (physical) or remote access to a victim's system, can access the credentials of users who are signed in, without requiring administrator privileges. Hackers could bypass 2-factor authentication requirements even if it was enabled in the account, and access other related apps such as Skype and Outlook. This could potentially be exploited to impersonate other users, tamper with data, or to engineer targeted phishing attacks.

Image courtesy: Unsplash

How the vulnerability was discovered

Vectra's researchers were working on a way to help a client, who wanted to delete old accounts (inactive users) from Microsoft Teams. The app does not allow this, so they looked for a different way and discovered a couple of files. One of these contained the authentication tokens that were stored by Microsoft Teams, and these credentials were in cleartext (unencrypted format). The other file, which was a browser cookies database, also had these tokens.

The security firm created a proof-of-concept to test whether the loophole could be exploited allow access to user accounts. It used the SQLite engine, to download the data to a local folder and extracted the Skype Access token from it. This was then used to send a test message, proving that the vulnerability allows access to other apps.
Such malicious tactics could be used by hackers to penetrate organizations, pretending to be a CEO or CFO, to convince other users to perform tasks that could damage the company.

Vectra's advisory explains that the Electron framework is to be blamed for the issue, since it does not support standard security protocols such as encryption and system-protected folders out of the box. Ars Technica points out that such security vulnerabilities in Electron apps aren't a new thing, they have been reported in WhatsApp, Skype, Slack over the past couple of years. Vectra says that developers who use Electron must use OAuth in their apps  to store the authentication tokens securely, for example, by using KeyTar.

Microsoft says this is not a serious issue

Microsoft has acknowledged the vulnerability, but a company spokesperson told security blog, Dark Reading, that it has chosen not to patch the bug immediately. This is what it said,

"The technique described does not meet our bar for immediate servicing as it requires an attacker to first gain access to a target network

In other words, it says that unless a user's network is already compromised, either locally or via malware (which can be used to trigger remote code execution), this shouldn't really be a threat for most users.

Connor Peoples, a security architect at Vectra Security, said that since Microsoft is moving toward Progressive Web Apps, this would mitigate the issues that are present in Electron. The security firm has suggested users not to use the Microsoft Teams desktop app until the vulnerability has been patched, and instead recommends using Teams via a web browser.

Microsoft Teams is storing authentication tokens in cleartext
Article Name
Microsoft Teams is storing authentication tokens in cleartext
Microsoft Teams is storing authentication tokens in cleartext. The Redmond company says that the vulnerability is not a serious threat.
Ghacks Technology News

Previous Post: «
Next Post: «


  1. Samm said on September 17, 2022 at 7:03 pm

    Microsoft is correct, it’s not a serious issue. A basic understanding of computer security is all you should need to know that.

    It’s like someone complaining to a car manufacturer that their car is insecure because a thief broke into their house and stole their car keys. The issue was never with the car, it’s with the security of the house.

  2. Anonymous said on September 17, 2022 at 4:05 am

    I wonder why this is a news. Your can also view auth token in your favorite browsers, just open the dev console.

    If someone can read your tokens in your computer, the first thing your worry is not the microsoft teams.

  3. John G. said on September 16, 2022 at 8:58 pm

    “Microsoft says this is not a serious issue.” LOL
    Thanks @Ashwin for the article! :]

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.