When sharing zip files in Microsoft Teams, it is possible to preview the directory structure of the uploaded zip by clicking on it in the chat window or by viewing it in the Files tab of the application. When doing this, a request is sent to a Microsoft-based cloud service in order to parse the zip and retrieve metadata for the file.
For example, in our demo case, we uploaded a test zip file in a private chat with another user. When previewing the file, a request was sent from our client to a host at southcentralus1-mediap.svc.ms via the following request:
GET /transform/zipmetadata?provider=spo&inputFormat=zip&docid=https%3A%2F%2Fredacted-my.sharepoint.com%2Fpersonal%2Fgfieri_redacted_onmicrosoft_com%2F_api%2Fv2.0%2Fdrives%2Fb!L-jkkq_7okulEJBVuo4wwWL0dEsOfiVInermNngi296Eor-JrcGfRpeH9Mhpnrta%2Fitems%2F01PVE52YEA2MOHYOW7RBAIZLHKSLXAESN4&access_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik1yNS1BVWlidOZDFqQmViYXhib1hXMCIsImtpZCI6Ik1yNS1BVWliZkJpaTdOZDFqQmViYXhib1hXMCJ9.eyJhdWQiOiJodHRwczovL3RlbmFibGUwMjctbXkuc2hhcmVwb2ludC5jb20iLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC82MDFmZDgwMS1jMTYxLTQzNGUtYWRkNy04MmRkMzU4MWI4Y2IvIiwiaWF0IjoxNjQyNTM0NjI4LCJuYmYiOjE2NDI1MzQ2MjgsImV4cCI6MTY0MjYzMjgyOCwiYWNyIjoiMSIsImFpbyI6IkUyWmdZTGhjZmpCd25leUZyTkxXOHZadG5wZFhwZFNxL0ZLcXNiZ2hjdVpiei9iYWE1NEEiLCJhbXIiOlsicHdkIl0sImFwcF9kaXNwbGF5bmFtZSI6Ik1pY3Jvc29mdCBUZWFtcyIsImFwcGlkIjoiMWZlYzhlNzgtYmNlNC00YWFmLWFiMWItNTQ1MWNjMzg3MjY0IiwiYXBwaWRhY3IiOiIwIiwiZmFtaWx5X25hbWUiOiJGaWVyaSIsImdpdmVuX25hbWUiOiJHdXkiLCJpZHR5cCI6InVzZXIiLCJpcGFkZHIiOiIxMDguMjExLjIz*************************REDCACTED*************************ZGU0ODEyOCIsInN1YiI6ImJuTWF1UDRxSThZbUtpbHJSeWdabFBsZWd5MXEzOWlwSzlydjF2U1B4eVEiLCJ0aWQiOiI2MDFmZDgwMS1jMTYxLTQzNGUtYWRkNy04MmRkMzU4MWI4Y2IiLCJ1bmlxdWVfbmFtZSI6ImdmaWVyaUBUZW5hYmxlMDI3Lm9ubWljcm9zb2Z0LmNvbSIsInVwbiI6ImdmaWVyaUBUZW5hYmxlMDI3Lm9ubWljcm9zb2Z0LmNvbSIsInV0aSI6InczdDYxZnFtOUVLRGFpRkNGODBVQUEiLCJ2ZXIiOiIxLjAiLCJ3aWRzIjpbIjYyZTkwMzk0LTY5ZjUtNDIzNy05MTkwLTAxMjE3NzE0NWUxMCIsImYyZWY5OTJjLTNhZmItNDZiOS1iN2NmLWExMjZlZTc0YzQ1MSIsImZlOTMwYmU3LTVlNjItNDdkYi05MWFmLTk4YzNhNDlhMzhiMSIsImYyOGExZjUwLWY2ZTctNDU3MS04MThiLTZhMTJmMmFmNmI2YyIsIjcyOTgyN2UzLTljMTQtNDlmNy1iYjFiLTk2MDhmMTU2YmJiOCIsImYwMjNmZDgxLWE2MzctNGI1Ni05NWZkLTc5MWFjMDIyNjAzMyIsIjY5MDkxMjQ2LTIwZTgtNGE1Ni1hYTRkLTA2NjA3NWIyYTdhOCIsIjI5MjMyY2RmLTkzMjMtNDJmZC1hZGUyLTFkMDk3YWYzZTRkZSIsImI3OWZiZjRkLTNlZjktNDY4OS04MTQzLTc2YjE5NGU4NTUwOSJdLCJ4bXNfY2MiOlsiY3AxIl0sInhtc19zc20iOiIxIn0.GqacBLirjG3fqOfcuULdYNkLtpxmCCnLDngS9niz64MpWDUBb7bv5fMj85e19qWtYDLpW_ZpuvvhLAm5JdxIG_4y9c7Q5II_HV6sJs3Akg114KK97xIE5Dq9W_nnQUpwNe0uh6UeWgCa0oFDpEYQr0IzIq5rPC7B3GDK5kwunbaertjCar9jDhRzqcYJ4_6nNHf_WRLc4j-_ln3QflTI5WsUgdl1ye9ufYp6_gpRNxwsvf8V3J9ZT4y34LlD-egJoAxdgjOg2BQehjaX8koXBhF4b8-Y4XAcK6oRbcgsENK8R1e1zEDpa_yzubylxhr7C09kyOGofgSns1jLRHOceA HTTP/2
Host: southcentralus1-mediap.svc.ms
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_16_0) AppleWebKit/537.36 (KHTML, like Gecko) Teams/1.4.00.34557 Chrome/85.0.4183.121 Electron/10.4.7 Safari/537.36
Accept: */*
Origin: https:Sec-Fetch-Site: same-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https:Accept-Encoding: gzip, deflate
Accept-Language: en-US
As you can see in the above request, the access token for this service is available directly in the GET parameters. This access token is the same token returned by login.micrsoftonline.com and is valid for all sharepoint services the account has access to. Tokens for other services, such as Microsoft teams, can also be retrieved using this access token. This means that an account can be taken over if this token is compromised.
Sensitive information should not be placed in URLs in this manner as they may be logged in a variety of locations (the end-users browser, various backend services, proxies, etc.) which drastically increased the potential exposure of this token.
We suggested to Microsoft removing this token from the URL and using a proper authorization header, as is done in all other associated sharepoint and teams requests.