Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Power Apps are part of the wider Microsoft Power Bi Platform. Power has a feature that allows to launch small applications as a tab in any team they are part of. These applications help automate Office 365 workflow and do many other things.

These tabs work by loading an iFrame on the domain specified by the applications. This iFrame is loaded via a parameter from a different URL. The author wondered if they could load an arbitrary URL into here, which initially failed. After a while, they discovered when it would load: uses Teams JS SDK and the URL must start with https://make.powerapps.com.

In order to add our malicious URL, we simply made a PUT request to update the application. The parsing did not consider this URL being a subdomain, as it was not parsing this as a URL. It was only validating that the beginning of the string matched! So, https://make.powerapps.com.fakecorp.ca/ was a valid domain, controlled by an attacker! If this domain is loaded in an iFrame, what's the big deal though?

The loaded application communicates via a postMessage to the powerapps.com URL. Then, this endpoint communicates to the top window of teams.microsoft.com. Considering the postMessage interface is quite expansive and was built with the idea that only trusted code was being ran, this creates an issue. It turned out, that an Access Token was being sent (without any other auth) to the iFrame, giving access to a bunch of information!

Although some people would stop at getting the Access Token, the author of this article wanted to see how much damage they could do. This exploitation involved setting up an automation flow that would steal teams messages then sending this to an attacker controlled email. Besides stealing this information, it could be used to alter the account in some other ways as well.

The boundaries of trust were not well-defined in this case. An extremely simple bug allowed for an entry point. Once the attacker was in the house, no one questioned their access attempts. I would be curious to see if Microsoft added defense-in-depth measures for this attacks in the future.

An additional consideration is that the complicated (and awesome) functionality really hurt Microsoft here. Although the automate functionality works well, an attacker was able to register something that stole all Teams message then removes everything they just did. This is an amazing avenue for an attacker, as they may never get caught.