Forum Discussion

Michael DeMond's avatar
Michael DeMond
Copper Contributor
Mar 24, 2018

Sharing a Document to Guest Exposes Organization Membership/Information

Hello Community,   Cross-posting here from another forum to ensure visibility: https://social.technet.microsoft.com/Forums/Sharepoint/en-US/a6eac395-1fc6-4ab7-be7d-29ade66f78c1/sharing-a-docume...
Permissions
SharePoint Online
Sites
StephenRice's avatar
StephenRice
Icon for Microsoft rankMicrosoft
Mar 26, 2018

Hi Michael,

 

If you invite a guest user to a SharePoint site, they should only be able to see other guest users in that site collection. If your guest users are seeing users from outside the site collection, please let me know. Thanks,

 

Stephen Rice

OneDrive Program Manager II

  • Michael DeMond's avatar
    Michael DeMond
    Copper Contributor
    Mar 26, 2018

    Hi Stephen, thank you for your reply.  Unfortunately this does appear to be what's happening.  These are the steps as best as I can reproduce them:

     

    1. Sign in as a domain user that has permissions to a SharePoint folder, and share this folder specifically to an external guest user that is not registered on the domain.
    2. As the external user, check your email to get the link to the folder.  Click on the link and follow the process to authenticate with the code.
    3. Upon entering the code from previous step and authenticating as the external guest user, note that the Share button is available in the top left.  Click it to open the share dialog.
    4. From the Audience drop down ensure Specific People is selected.
    5. Start typing email addresses of users in the domain as well as the email addresses of other guest users that this has been shared with.  In my case they consistently appear as if the external user is a member of the domain, which should not be allowed as they are gaining unauthorized data (membership) of the domain.  In addition to members of the domain, they are able to poll what appears to be service accounts, with SharePoint App being an example.

    In my estimation, the external guest user should not see the Share functionality to begin with by default.  This should only be a feature that is allowed for domain members only (again, by default).  At a minimum a guest user should not be able to simply type a few characters within a field and do a poll on my domain membership as that is technically unauthorized activity and they are gaining access to unauthorized data.  Additionally, it doesn't take much from there to create an automated bot of some sort to perform the lookups in an automated fashion, essentially pulling my directory contents for whatever uses they like, nefarious or otherwise.

     

    Please let me know if I have something misunderstood, if I am overlooking an obvious setting, and/or if you have any further questions around this.

     

    Thank you,

    Michael

    • StephenRice's avatar
      StephenRice
      Icon for Microsoft rankMicrosoft
      Mar 26, 2018

      Thanks for elaborating Michael. Let me investigate further with the team and I'll get back to you. Thanks!

       

      Stephen Rice

      OneDrive Program Manager II

      • Michael DeMond's avatar
        Michael DeMond
        Copper Contributor
        Mar 26, 2018

        Awesome, thank you Stephen.  FWIW I have been exploring this a little more as I do believe there is some confusion on my part with Site Collections vs. domains.  Additionally, there seems to be different behavior with sharing a document vs. sharing a folder.

         

        Sharing a document works better from a security perspective than sharing a folder.  With a document, a guest user can see the parent folder, but when they visit that parent folder they see the document and no other information.  Perfect.

         

        Sharing the folder, however, I as an external guest user can see the full membership of that folder in the top right.  This again seems like unnecessary (default) information for a guest user.  Additionally, the guest user can see all recent activity for a document, but not who did it.  That tells me that some effort is made somewhere to conceal identity information (good thing) but now there is at a minimum inconsistent behavior as all members who are in the group are in plain sight anyways (bad thing).

         

        Finally, I did manage to create several new users who were not in the site collection.  As a domain member I was able to query them in the Share feature.  As a guest I was not.  I was able to add the non-site domain user's email but their name did not resolve like site domain users. So, this appears to be working as you have stated.   

         

        However, I was also able to query other guest users of both folder and document, which I feel is a concern.  If I am invited to view an external document somewhere, it is not my expectation that other guest users can pull my information without my consent and/or awareness.  Additionally, being able to query *any* member -- regardless of whether they are domain or guest -- as an external guest is a security concern.  Consider that:

        1. There are no terms of use presented to the guest user (that I can see -- feel free to correct me if I am wrong here) so they are essentially free to use the data as they wish.
        2. This behavior works on any SharePoint online account that has sharing enabled so if this guest user has access to other SharePoint online accounts, the same behavior applies and they can harvest information from these other accounts and connect the dots as they may.  This is, of course, a compounded concern if this user is part of a coordinated set of other users who are performing similar operations.

         

Resources