# Microsoft And Its Team Is Now Storing Authentications Tokens In Cleartext
A security loophole has been uncovered in Microsoft Teams. A report by security firm Vectra reveals that Microsoft Teams is storing authentication tokens in plain text.
## Microsoft Teams Security Issue
The vulnerability affects the desktop versions of Teams for Windows, macOS, and Linux. Threat actors with physical or remote access to a victim’s system can retrieve user credentials without needing administrator privileges. Hackers can bypass 2-factor authentication and access other linked apps like Skype and Outlook. This could lead to impersonation, data manipulation, or targeted phishing attacks.
## How the Vulnerability was Discovered
Vectra’s researchers were assisting a client in deleting old accounts from Microsoft Teams. Since the app doesn’t offer this feature, they found some files containing authentication tokens stored in plain text. They created a test to demonstrate how easy it is to access user accounts using these tokens.
The issue with Electron framework, which Teams is built on, is highlighted as it lacks standard security protocols. Similar vulnerabilities have been identified in other Electron-based apps like WhatsApp and Slack. Developers using Electron are advised to securely store authentication tokens, for example, by using OAuth with KeyTar.
## Microsoft’s Response
Microsoft has acknowledged the vulnerability but has decided not to patch it right away. They claim that for the bug to be exploited, an attacker needs to breach the target network first. Therefore, they believe most users are not at immediate risk unless their network is already compromised.
Vectra Security recommends avoiding the Microsoft Teams desktop app until the vulnerability is fixed and suggests using the web browser version instead.
**Image Credit:** monticello / shutterstock