Microsoft: Token-Mining Vulnerability in Teams is Not Critical to Fix

Security researchers have recently identified a vulnerability in the Microsoft Teams desktop app. The security flaw could allow attackers to access authentication tokens and accounts with multi-factor authentication (MFA) enabled.

According to the cybersecurity company Vectra, Microsoft Teams stores user authentication tokens in plain text on the device. It would allow threat actors with local access to an affected system to steal the tokens and remotely sign in to the compromised account. The vulnerability affects the desktop versions of Microsoft Teams on Windows, Mac, and Linux.

“Anyone who installs and uses the Microsoft Teams client in this state is storing the credentials needed to perform any action possible through the Teams UI, even when Teams is shut down. This enables attackers to modify SharePoint files, Outlook mail and calendars, and Teams chat files,” Vectra researchers explained.

The researchers added that attackers could use the vulnerability to hijack accounts of high-profile employees (such as the CEO or CFO). It makes it easier to launch phishing campaigns and potentially disrupt the operations of an entire organization.

Microsoft to patch the Teams flaw in a future update

Vectra first discovered the security flaw and disclosed it to Microsoft in August this year. However, Microsoft believes that the exploit doesn’t meet its severity criteria for immediate patching, and it plans to fix the bug in a future update.

“The technique described does not meet our bar for immediate servicing as it requires an attacker to first gain access to a target network. We appreciate Vectra Protect’s partnership in identifying and responsibly disclosing this issue and will consider addressing in a future product release,” a Microsoft spokesperson said in a statement to Bleeping Computer.

Last year, Microsoft started working on a new web-based “Teams 2.0” desktop app, which ditches the Electron framework in favor of Edge Webview 2. All Electron applications have some known security issues, and the new Teams app should provide better OS-level security to protect cookies and storage. However, there is no ETA on when it will be available for enterprise customers.