Seems Microsoft has patched the "Forbidden" response message bug that…

… allowed tenants who disabled Teams access between users outside of the org to be enumerated
Flangvik · Apr 24, 2023 · 35bad0f · 35bad0f
1 parent 0a50b44
commit 35bad0f
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 6 deletions.
diff --git a/TeamFiltration/TeamFiltration/Handlers/TeamsHandler.cs b/TeamFiltration/TeamFiltration/Handlers/TeamsHandler.cs
@@ -166,7 +166,7 @@ public async Task<WorkingWithResp> GetWorkingWithList(string tenantId)
         failedResp:
             //TODO:Add logic to select FireProx endpoint based on current location 
 
-            var enumUserReq = await _teamsClient.PollyGetAsync(enumUserUrl + $"{TeamsRegion}/beta/users/{username}/externalsearchv3");
+            var enumUserReq = await _teamsClient.GetAsync(enumUserUrl + $"{TeamsRegion}/beta/users/{username}/externalsearchv3");
 
 
             if (enumUserReq.IsSuccessStatusCode)
@@ -180,7 +180,7 @@ public async Task<WorkingWithResp> GetWorkingWithList(string tenantId)
                 {
                     //get the object
                     List<TeamsExtSearchRep> responeObject = JsonConvert.DeserializeObject<List<TeamsExtSearchRep>>(userResp);
-               
+
                     //Any size
                     if (responeObject.Count() > 0)
                     {
@@ -225,7 +225,7 @@ public async Task<WorkingWithResp> GetWorkingWithList(string tenantId)
                             catch (Exception ex)
                             {
 
-                                
+
                             }
 
                             return (true, responeObject.FirstOrDefault().objectId, responeObject.FirstOrDefault(), Outofofficenote);
@@ -237,8 +237,8 @@ public async Task<WorkingWithResp> GetWorkingWithList(string tenantId)
             }
             else if (enumUserReq.StatusCode.Equals(HttpStatusCode.Forbidden))
             {
-                //If we get the forbidden error response, we can assume it's valid!
-                return (true, Guid.NewGuid().ToString(), null, null);
+                //As of 24.04.2023 - Seems like MS have patched this.
+                return (false, "", null, null);
             }
             else if (enumUserReq.StatusCode.Equals(HttpStatusCode.InternalServerError))
             {

diff --git a/TeamFiltration/TeamFiltration/Program.cs b/TeamFiltration/TeamFiltration/Program.cs
@@ -118,7 +118,7 @@ static async Task Main(string[] args)
 ";
 
             Console.WriteLine(asci);
-            Console.WriteLine("[♥] TeamFiltration V3.5.1 PUBLIC, created by @Flangvik at @TrustedSec");
+            Console.WriteLine("[♥] TeamFiltration V3.5.2 PUBLIC, created by @Flangvik at @TrustedSec");
             Console.WriteLine($"[+] Args parsed {string.Join(' ', args)}");