通过GIF图片可对Microsoft Teams用户账户进行劫持(2)

这里存在的问题是，Microsoft Teams如何保证正确或有权限的用户才能查看到这些图片呢？如用户分享的图片应该只有互相才能看到，为此，Microsoft Teams增加了名为“authtoken”和“skypetoken_asm”的cookie来进行访问限制，如下图“authtoken”cookie所示：

上图中可以看到，“authtoken”cookie中包含了一个JWT形式的access token，它会被发送到*.teams.microsoft.com，该JWT的处理后端是api.spaces.skype.com，也即是说只有特定的域名才能接收该token。但api.spaces.skype.com只负责验证token，并不处理具体的消息发送请求，为此需要找到包含token的发起请求。

接下来，我们在Microsoft Teams聊天消息的网络交互中，找到了包含skypetoken，执行图片分享浏览的请求：

GET https://amer.ng.msg.teams.microsoft.com/v1/users/ME/conversations/19%3A...%40unq.gbl.spaces/messages?view=msnp24Equivalent|supportsMessageProperties&pageSize=200&startTime=1 HTTP/1.1

Host: amer.ng.msg.teams.microsoft.com

Connection: keep-alive

Pragma: no-cache

Cache-Control: no-cache

x-ms-session-id: 00000000000-0000-0000-0000-00000000000

BehaviorOverride: redirectAs404

x-ms-scenario-id: 00

x-ms-client-cpm: ApplicationLaunch

x-ms-client-env: 

x-ms-client-type: 

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36

ClientInfo: 

Accept: json

Sec-Fetch-Dest: empty

x-ms-client-version: 

x-ms-user-type: user

Authentication: skypetoken=eyJhbGciOiJSUzI1NiIsImtpZCI6IkVhc3RlckVnZyA6KSIsInR5cCI6IkpXVCJ9.eyJ...

Origin: https://teams.microsoft.com

Sec-Fetch-Site: same-site

Sec-Fetch-Mode: cors

Referer: https://teams.microsoft.com/_

Accept-Encoding: gzip, deflate, br

Accept-Language: en-US,en;q=0.9

从上图中可以看到，要发起这么一个图片请求首先需要获取一个“skypetoken”，但如何来得到呢？在更深入的网络交互分析中，我们发现下面的POST请求即是创建“skypetoken”的请求：

POST /api/authsvc/v1.0/authz HTTP/1.1

Host: teams.microsoft.com

Connection: close

Content-Length: 0

Pragma: no-cache

Cache-Control: no-cache

x-ms-session-id: 00000000000-0000-0000-0000-00000000000

x-ms-scenario-id: 00

x-ms-user-type: user

x-ms-client-env: 

x-ms-client-type: 

Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IktleXMiLCJraWQiOiJLZXlzRXZlcnlXaGVyZSJ9.eyJ...

Accept: application/json, text/plain, */*

X-Client-UI-Language: en-us

Sec-Fetch-Dest: empty

ms-teams-authz-type: TokenRefresh

x-ms-client-version: 

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36

Origin: https://teams.microsoft.com

Sec-Fetch-Site: same-origin

Sec-Fetch-Mode: cors

Referer: https://teams.microsoft.com/_

Accept-Encoding: gzip, deflate

Accept-Language: en-US,en;q=0.9

Cookie: {redacted}