Forum Discussion

Michael DeMond's avatar
Michael DeMond
Copper Contributor
Mar 24, 2018

Sharing a Document to Guest Exposes Organization Membership/Information

Hello Community,   Cross-posting here from another forum to ensure visibility: https://social.technet.microsoft.com/Forums/Sharepoint/en-US/a6eac395-1fc6-4ab7-be7d-29ade66f78c1/sharing-a-docume...
Permissions
SharePoint Online
Sites
StephenRice's avatar
StephenRice
Icon for Microsoft rankMicrosoft
Mar 26, 2018

Hi Michael,

 

If you invite a guest user to a SharePoint site, they should only be able to see other guest users in that site collection. If your guest users are seeing users from outside the site collection, please let me know. Thanks,

 

Stephen Rice

OneDrive Program Manager II

Michael DeMond's avatar
Michael DeMond
Copper Contributor
Mar 26, 2018

Hi Stephen, thank you for your reply.  Unfortunately this does appear to be what's happening.  These are the steps as best as I can reproduce them:

 

  1. Sign in as a domain user that has permissions to a SharePoint folder, and share this folder specifically to an external guest user that is not registered on the domain.
  2. As the external user, check your email to get the link to the folder.  Click on the link and follow the process to authenticate with the code.
  3. Upon entering the code from previous step and authenticating as the external guest user, note that the Share button is available in the top left.  Click it to open the share dialog.
  4. From the Audience drop down ensure Specific People is selected.
  5. Start typing email addresses of users in the domain as well as the email addresses of other guest users that this has been shared with.  In my case they consistently appear as if the external user is a member of the domain, which should not be allowed as they are gaining unauthorized data (membership) of the domain.  In addition to members of the domain, they are able to poll what appears to be service accounts, with SharePoint App being an example.

In my estimation, the external guest user should not see the Share functionality to begin with by default.  This should only be a feature that is allowed for domain members only (again, by default).  At a minimum a guest user should not be able to simply type a few characters within a field and do a poll on my domain membership as that is technically unauthorized activity and they are gaining access to unauthorized data.  Additionally, it doesn't take much from there to create an automated bot of some sort to perform the lookups in an automated fashion, essentially pulling my directory contents for whatever uses they like, nefarious or otherwise.

 

Please let me know if I have something misunderstood, if I am overlooking an obvious setting, and/or if you have any further questions around this.

 

Thank you,

Michael