Introduction - Dial in Function
After searching for a recorded Microsoft teams meeting, I came across the option to participate in the meeting with a phone. I entered a past meeting with my mobile phone. Out of curiosity I decided to try out this function, the microphone on my laptop is rather bad and this feature seemed like a good way to improve my video call experience.
Now that I am connected, I can participate with another device. The interesting thing is that you can add someone else’s number, so another person would join in the meeting. This means that I can have a conversation with someone with a telephone connection.
The question remains, who pays the costs for this call Microsoft or Fontys?
Impact
This misconfiguration makes it possible to make free calls, a serious threat to Fontys because it is not clear who is paying the costs of the calls.
Steps to reproduce
Join a Microsoft teams meeting created by a teacher.
Enter a phone number and click call me.
An unknown phone number is calling.
Answering the phone will place you in the meeting.
It is not possible to create a meeting to use this feature with student rights.
Misconfiguration Reported
After I found out that the audio feature can be abused in Microsoft Teams, I wrote a small report. I then contacted the teacher, who sent the report to Fontys IT helpdesk.
Mitigation
After a few months, the Fontys IT team contacted me and switched off the function. The Fontys IT team asked me to test if the feature was still available. Sadly, they did disable the option to join a meeting with a phone number.
Disclosure Timeline
27-05-2020 - Vulnerability reported to a teacher.
27-05-2020 - Forwarded report to ISSD and IT Helpdesk.
23-09-2020 - Patched/tested misconfigured setting, ticket closed.
