Forum Discussion
Backdoor for Guest Users to see unauthorized Private Channel Files within a Team
- May 26, 2020
@adam deltinger We resolved the issue.
Team Bravo was originally created before Private Channels came into existence last year. The original channel was a public channel.
After private channels came out the follow happened:
- a new private channel was created with a similar name
- the Files content was copied across
- the old public channel was deleted in Teams
Unbeknownst to us, the public channel Files content is not deleted from Sharepoint when a channel is deleted in Teams.
What was happening is that new guest users were able to access this residual public channel content. It appeared like current private team content because it had the same name and content up to the date is was migrated.
Scenario - we have a team - lets call it Blue Team. In it are a series of projects. Each project has its own private channel.
People in the channel are a mix of employees and consultants (guests). We have found the guests can access the "Files" (sharepoint saved content) of the various private teams, even though they have not been given membership.
They are all private channels, the general folder is 100% empty and was never used and the Guests are definently not in both channels
@adam deltinger We resolved the issue.
Team Bravo was originally created before Private Channels came into existence last year. The original channel was a public channel.
After private channels came out the follow happened:
- a new private channel was created with a similar name
- the Files content was copied across
- the old public channel was deleted in Teams
Unbeknownst to us, the public channel Files content is not deleted from Sharepoint when a channel is deleted in Teams.
What was happening is that new guest users were able to access this residual public channel content. It appeared like current private team content because it had the same name and content up to the date is was migrated.