Microsoft closes loophole to prevent email and file theft

Steal emails, OneDrive and Sharepoint files or even Teams messages. This is a dark scenario that millions of users of Microsoft’s messaging and collaborative sharing tools have undoubtedly been able to avoid. Security researcher Evan Grant, working at Tenable, has detailed a hack allowing an attacker to access read and write system privileges on essential Microsoft messaging and collaboration services (Outlook, Teams, SharePoint, OneDrive…) . The exploit vector is for a vulnerability in Power Apps Service, discovered on March 26, 2021 and confirmed by Microsoft four days later. The latter told Tenable on June 11 that the flaw has been filled and automatically corrected without any action from users and companies, leaving the company free to specify its hack.

As part of his research, Evan Grant found a way to trap custom Teams tabs (tab) and automated workflows (power automate flows) by injecting malicious code into the iframe for creating a Power Apps application . This vulnerability is related to a bad setting of makerPortalUrl in apps.powerapps.com/teams/makerportal preventing to verify and validate that it is indeed a legitimate action. “The validation mechanism used to confirm that tab content is from a trusted source only verifies that a given URL begins with https://make.powerapps.com and no more. This means an attacker can simply create a subdomain of make.powerapps.com for any domain they control, such as https://make.powerapps.com.fakecorp.ca, which allows them to load untrusted content in a Power Apps tab.

An escalation to additional rights

This flaw then allows an attacker to have almost all the house keys and load malicious content into an apps.powerapps.com iframe. With the ability to retrieve authentication tokens by accessing the Windows.postMessage communication. Those relating to service.flow.microsoft are particularly interesting. Why ? Because through them, others provide additional rights such as creating automated workflows to access Outlook e-mails, Teams messages as well as OneDrive or Sharepoint files.

“Although this is a long and not entirely simple attack, its potential impact could be enormous, especially if it affects an administrator of the organization. That such a small initial bug (the incorrect validation of the make.powerapps.com domain) can be exploited until an attacker exfiltrates emails, Teams messages, OneDrive and SharePoint files is truly concerning. This means that even a small bug in a service like Microsoft Power Apps could lead to the compromise of many others via tokens and connections to connectors,” Evan Grant warned.