The desktop version of Microsoft Teams stores unencrypted user credentials. Researchers notified Microsoft of the vulnerability, but the tech giant ignored the problem.
The vulnerability was found by security firm Vectra. The desktop version of Teams stores unencrypted user authentication tokens. User authentication tokens provide access to user accounts. The lack of encryption allows hackers to abuse the tokens.
The tokens are stored on the device on which Teams is installed. A hacker with access to the device has access to the tokens. “This attack does not require special permissions or advanced malware to get away with major internal damage”, Connor Peoples explained on behalf of Vectra.
The vulnerability is present in Teams’ desktop versions for Windows, Linux and Mac. Vectra notified Microsoft of the problem in August 2022. According to Vectra, the tech giant did not deem the vulnerability severe enough for a patch. Hence, the security company informed the press.
Vulnerability in Microsoft Teams
Microsoft Teams is based on Electron, a software development framework. Electron applications run in browsers and support the same features as web pages, including cookies and logs.
The standard version of the framework does not provide encryption. Hence, the standard version is rarely used for large-scale and sensitive applications. Microsoft Teams is an exception to the rule.
During an analysis of Microsoft Teams, Vectra stumbled upon a file containing unencrypted access tokens. Moreover, a cookies folder exposed account information and session data.
Vectra developed an API to extract and communicate user access tokens. There’s not much holding cybercriminals back from applying the same method. The prerequisite is local access to the system on which Microsoft Teams is installed.
Microsoft is unlikely to publish a patch in the short term. The tech giant was notified in August 2022 and refused to update the software. The vulnerability’s disclosure may provoke a response, but there are no guarantees.
Vectra advises users to avoid the desktop versions of Teams entirely. According to the security firm, the browser version is more secure. Linux users are advised to find a new communications platform, as Microsoft plans to cease support for the operating system as of December 2022.
Website BleepingComputer asked Microsoft for a statement, but initially received no response.