Security researchers from Vectra Protect identified a major new vulnerability in Microsoft Teams, but Microsoft says there’s no need for a fix.

“Our research discovered that the Microsoft Teams App stores authentication tokens in cleartext,” Vector Research’s Connor Peoples explains. “With these tokens, attackers can assume the token holder’s identity for any actions possible through the Microsoft Teams client, including using that token for accessing Microsoft Graph API functions from an attacker’s system. Even worse, these stolen tokens allow attackers to conduct actions against [multi-factor authentication] MFA-enabled accounts, creating an MFA bypass.”

The vulnerability exists in the native client of Teams for Windows, Mac, and Linux, which was developed using Electron, and the underlying culprit responsible for this vulnerability: Despite being based on web technologies, Electron doesn’t support standard browser controls like encryption, the firm notes, or system-protected file locations.

Vector Research contacted Microsoft about the vulnerability and was told that it did not require immediate patching.

“The technique described does not meet our bar for immediate servicing as it requires an attacker to first gain access to a target network,” a Microsoft statement explains. “We appreciate Vectra Protect’s partnership in identifying and responsibly disclosing this issue and will consider addressing [it] in a future product release.”

Vector Research suggests that Teams users use the web-based version of Teams exclusively until Microsoft fixes this vulnerability. But that may happen slowly, if at all: Microsoft is allegedly moving the Teams codebase to web-standard Progressive Web App (PWA) technologies that do not share Electron’s security issues.

Tagged with Microsof Teams, Security