Severe Security Flaw in Microsoft Teams Desktop App Let Attackers Access Authentication Tokens

In Cybersecurity News - Original News Source is by Blog Writer

Post Sharing
Earlier, in August 2022, Vectra researchers discovered an attack path that let attackers with file system access to steal credentials for any Microsoft Teams user who is signed in.

Reports say the attackers don’t require permissions to read these files and it impacts all commercial and GCC Desktop Teams clients for Windows, Mac, and Linux. Vectra reported this issue to Microsoft but they said it did not meet their bar for immediate servicing.

Severe Security Flaws in the Desktop App for Microsoft Teams

Microsoft Teams is a proprietary business communication platform developed by Microsoft, as part of the Microsoft 365 family of products. Teams primarily compete with the similar service Slack, offering workspace chat and videoconferencing, file storage, and application integration.

Generally Microsoft Teams App stores authentication tokens in ‘cleartext’ and with these tokens, attackers can guess the token holder’s identity for any actions possible through the Microsoft Teams client.

Authentication token on the Cookies directory (Vectra)
Experts used the SQLite engine, where SQLite does not require installation, so the exploit downloads SQLite to a local folder and executes it to read the Cookies DB, where researchers extract the Skype Access token required for sending messages.

Token received as text in the attacker’s personal chat (Vectra)

“The desktop application creates opportunities for attackers to use credentials outside their intended context because, unlike modern browsers, there are no additional security controls to protect cookie data”, Vectra

Experts also mention that attackers can conduct communications within an organization. Assuming full control of critical seats–like a company’s Head of Engineering, CEO, or CFO—attackers can convince users to perform tasks damaging to the organization.


Researcher recommends using the web-based Teams client inside Microsoft Edge, which has multiple OS-level controls to protect token leaks. Linux users, move to a different collaboration suite, particularly since Microsoft announced plans to stop supporting the app for the platform by December.