What is Teams?

Microsoft Teams is a chat application for companies, similar to Slack. It is widely dreaded, but since it is usually included in the price of the Office360/AD subscription, most people are forced to use it.

Clients and APIs

Both the desktop client, and the web application communicate over HTTP. The desktop application is basically an Electron app that displays the website.

Since the clients all work in browsers, the messages are formatted and transmitted as HTML.

Security

The security issues with Teams comes from the liberal formatting options, combined with the fact that the clients are basically web browsers that render whatever HTML the server sends them.

While the tags you can use are limited, there are a lot of CSS properties you can play with.

Without even using external tools, you can accomplish some mischief. The message composer UI allows you to add links, and provide the anchor text for them.

This will let you send the link https://evil-example.com and change the text to https://example.com.

This is a feature of Teams, so it might be argued that it is not a problem, but it can also be argued that a chat program should highlight the link as sketchy when the anchor text is a clearly different URL than the actual link.

Unrestricted text formatting

Another issue of Teams is the fact that you can send a very wide range of CSS properties with your message. This lets you change the size, style, foreground and background colours of different parts of your message, including making sections completely invisible.

Clipboard hijacking

Using the CSS property font-size, you can make just one section of the text really small, like 0.000001em. Practically, this means that element will not be rendered on the client. But when a user selects the text to copy it, it will be copied to the clipboard correctly.

For example, you can send the following code snippet and make the section in the brackets invisible.

SELECT [1; DROP TABLE Customer; -- ] * from Customer;