Forum Discussion

SamG_A's avatar
SamG_A
Copper Contributor
May 25, 2020
Solved

Backdoor for Guest Users to see unauthorized Private Channel Files within a Team

Hi   I have a situation where Guest users can see content they have not been given access to.   Situation:  - I have an MS Team - It has two Private Channels: Alpha and Bravo - A guest users i...
Guest User
Private Channels
Sharepoint Permissions
teams
  • SamG_A's avatar
    SamG_A
    May 26, 2020

    @adam deltinger  We resolved the issue.

     

    Team Bravo was originally created before Private Channels came into existence last year. The original channel was a public channel.

     

    After private channels came out the follow happened:

    • a new private channel was created with a similar name
    • the Files content was copied across
    • the old public channel was deleted in Teams

     

    Unbeknownst to us, the public channel Files content is not deleted from Sharepoint when a channel is deleted in Teams.

     

    What was happening is that new guest users were able to access this residual public channel content. It appeared like current private team content because it had the same name and content up to the date is was migrated.

adam deltinger's avatar
adam deltinger
MVP
May 25, 2020
This shouldn’t be possible because private channels aren’t in the same site collections! Therefore you shouldn’t be able to browse I SharePoint and find the other private channel there! You sure they are private channels? Can you please explain the scenario and send images of the setup!?

Adam
  • SamG_A's avatar
    SamG_A
    Copper Contributor
    May 25, 2020

    adam deltinger 

     

    Scenario - we have a team - lets call it Blue Team. In it are a series of projects. Each project has its own private channel.

     

    People in the channel are a mix of employees and consultants (guests). We have found the guests can access the "Files" (sharepoint saved content) of the various private teams, even though they have not been given membership.

     

    They are all private channels, the general folder is 100% empty and was never used and the Guests are definently not in both channels

     

     

     

     

    • SamG_A's avatar
      SamG_A
      Copper Contributor
      May 26, 2020

      @adam deltinger  We resolved the issue.

       

      Team Bravo was originally created before Private Channels came into existence last year. The original channel was a public channel.

       

      After private channels came out the follow happened:

      • a new private channel was created with a similar name
      • the Files content was copied across
      • the old public channel was deleted in Teams

       

      Unbeknownst to us, the public channel Files content is not deleted from Sharepoint when a channel is deleted in Teams.

       

      What was happening is that new guest users were able to access this residual public channel content. It appeared like current private team content because it had the same name and content up to the date is was migrated.

    • ParLinderoth's avatar
      ParLinderoth
      Iron Contributor
      May 25, 2020

      SamG_A Is the first picture you have attached from the guest user? If so it looks like the guest user is member of both private channels since they are both visible in the team.

      • SamG_A's avatar
        SamG_A
        Copper Contributor
        May 25, 2020
        Hi - no its not. Its the admin.

        The guest user is not in Bravo and cannot see Bravo in that screenshot (sorry don't have a pic but it is confirmed)

Resources