Microsoft confirms vulnerability in Teams by storing tokens in plaintext

Spread the love

Microsoft Teams desktop application stores tokens locally in plaintext; that is reported by security researchers from the company Vectra. These are authentication tokens, which can be used to log into a victim’s account.

Vectra writes on its website that the company discovered the security risk in August and reported it to Microsoft. The security company calls it a dangerous security risk, because the obtained tokens can also be used to log into an account if it is secured with two-step authentication. Especially if the tokens of a high-ranking employee within a company are stolen, the damage can be significant, according to Vectra.

According to Microsoft, it’s not that big of a risk, because an attacker would have to gain access to the victim’s network, reports a Microsoft spokesperson to Bleeping Computer. “We don’t consider the technique described for an acute fix, because an attacker must first gain access to the victim’s network. We appreciate that Vectra Protect has identified this and reported it responsibly. We will consider this for a future product release”. Until Microsoft comes up with a solution, Vectra recommends using the browser version of Microsoft Teams. According to the company, this protects better against the leakage of the tokens.

Microsoft Teams

You might also like
Exit mobile version