Forum Discussion
Backdoor for Guest Users to see unauthorized Private Channel Files within a Team
Hi
I have a situation where Guest users can see content they have not been given access to.
Situation:
- I have an MS Team
- It has two Private Channels: Alpha and Bravo
- A guest users is added to Alpha but can see the content in Bravo via one of two methods:
- Clicking the "Purple" Files tab on the left hand side of Teams interface (under Activity, Chat, Team etc)
- By going Alpha channel > Files (grey button) > clicking the Open in Sharepoint button > navigating to the to top of the folder path (or clicking Documents), and then being able to access Bravo content
Has anyone had issues with this or know of a fix? I'm guessing its a sharepoint permissions issue specific to guest users?
@adam deltinger We resolved the issue.
Team Bravo was originally created before Private Channels came into existence last year. The original channel was a public channel.
After private channels came out the follow happened:
- a new private channel was created with a similar name
- the Files content was copied across
- the old public channel was deleted in Teams
Unbeknownst to us, the public channel Files content is not deleted from Sharepoint when a channel is deleted in Teams.
What was happening is that new guest users were able to access this residual public channel content. It appeared like current private team content because it had the same name and content up to the date is was migrated.
6 Replies
- This shouldn’t be possible because private channels aren’t in the same site collections! Therefore you shouldn’t be able to browse I SharePoint and find the other private channel there! You sure they are private channels? Can you please explain the scenario and send images of the setup!?
AdamScenario - we have a team - lets call it Blue Team. In it are a series of projects. Each project has its own private channel.
People in the channel are a mix of employees and consultants (guests). We have found the guests can access the "Files" (sharepoint saved content) of the various private teams, even though they have not been given membership.
They are all private channels, the general folder is 100% empty and was never used and the Guests are definently not in both channels
@adam deltinger We resolved the issue.
Team Bravo was originally created before Private Channels came into existence last year. The original channel was a public channel.
After private channels came out the follow happened:
- a new private channel was created with a similar name
- the Files content was copied across
- the old public channel was deleted in Teams
Unbeknownst to us, the public channel Files content is not deleted from Sharepoint when a channel is deleted in Teams.
What was happening is that new guest users were able to access this residual public channel content. It appeared like current private team content because it had the same name and content up to the date is was migrated.
