Vectra security team recently identified that Microsoft Teams stores authentication tokens in unencrypted plaintext mode, allowing attackers to potentially control communications within an organization.
• In August 2022, researchers at Vectra Protect team identified an attack path that enables malicious actors with file system access to steal credentials for any Microsoft Teams user who is signed in.
• Attackers do not require elevated permissions to read these files, which exposes this concern to any attack that provides malicious actors with local or remote system access and the Microsoft Teams App stores authentication tokens in cleartext.
• Using these tokens, attackers can assume the token holder’s identity for any actions possible through the Microsoft Teams client, including using that token for accessing Microsoft Graph API functions from an attacker’s system.
• Microsoft acknowledged the issues and opted not to patch.
• In 2019, the Open Web Application Security Project (OWASP) released a top 10 list of API security issues. The current issue could be considered either Broken User Authentication or a Security Misconfiguration, the second and seventh ranked issues on the list.