Forum Discussion

Michael DeMond's avatar
Michael DeMond
Copper Contributor
Mar 24, 2018

Sharing a Document to Guest Exposes Organization Membership/Information

Hello Community,   Cross-posting here from another forum to ensure visibility: https://social.technet.microsoft.com/Forums/Sharepoint/en-US/a6eac395-1fc6-4ab7-be7d-29ade66f78c1/sharing-a-docume...
Permissions
SharePoint Online
Sites
Michael DeMond's avatar
Michael DeMond
Copper Contributor
Mar 26, 2018

Hi Stephen, thank you for your reply.  Unfortunately this does appear to be what's happening.  These are the steps as best as I can reproduce them:

 

  1. Sign in as a domain user that has permissions to a SharePoint folder, and share this folder specifically to an external guest user that is not registered on the domain.
  2. As the external user, check your email to get the link to the folder.  Click on the link and follow the process to authenticate with the code.
  3. Upon entering the code from previous step and authenticating as the external guest user, note that the Share button is available in the top left.  Click it to open the share dialog.
  4. From the Audience drop down ensure Specific People is selected.
  5. Start typing email addresses of users in the domain as well as the email addresses of other guest users that this has been shared with.  In my case they consistently appear as if the external user is a member of the domain, which should not be allowed as they are gaining unauthorized data (membership) of the domain.  In addition to members of the domain, they are able to poll what appears to be service accounts, with SharePoint App being an example.

In my estimation, the external guest user should not see the Share functionality to begin with by default.  This should only be a feature that is allowed for domain members only (again, by default).  At a minimum a guest user should not be able to simply type a few characters within a field and do a poll on my domain membership as that is technically unauthorized activity and they are gaining access to unauthorized data.  Additionally, it doesn't take much from there to create an automated bot of some sort to perform the lookups in an automated fashion, essentially pulling my directory contents for whatever uses they like, nefarious or otherwise.

 

Please let me know if I have something misunderstood, if I am overlooking an obvious setting, and/or if you have any further questions around this.

 

Thank you,

Michael

StephenRice's avatar
StephenRice
Icon for Microsoft rankMicrosoft
Mar 26, 2018

Thanks for elaborating Michael. Let me investigate further with the team and I'll get back to you. Thanks!

 

Stephen Rice

OneDrive Program Manager II

  • Michael DeMond's avatar
    Michael DeMond
    Copper Contributor
    Mar 26, 2018

    Awesome, thank you Stephen.  FWIW I have been exploring this a little more as I do believe there is some confusion on my part with Site Collections vs. domains.  Additionally, there seems to be different behavior with sharing a document vs. sharing a folder.

     

    Sharing a document works better from a security perspective than sharing a folder.  With a document, a guest user can see the parent folder, but when they visit that parent folder they see the document and no other information.  Perfect.

     

    Sharing the folder, however, I as an external guest user can see the full membership of that folder in the top right.  This again seems like unnecessary (default) information for a guest user.  Additionally, the guest user can see all recent activity for a document, but not who did it.  That tells me that some effort is made somewhere to conceal identity information (good thing) but now there is at a minimum inconsistent behavior as all members who are in the group are in plain sight anyways (bad thing).

     

    Finally, I did manage to create several new users who were not in the site collection.  As a domain member I was able to query them in the Share feature.  As a guest I was not.  I was able to add the non-site domain user's email but their name did not resolve like site domain users. So, this appears to be working as you have stated.   

     

    However, I was also able to query other guest users of both folder and document, which I feel is a concern.  If I am invited to view an external document somewhere, it is not my expectation that other guest users can pull my information without my consent and/or awareness.  Additionally, being able to query *any* member -- regardless of whether they are domain or guest -- as an external guest is a security concern.  Consider that:

    1. There are no terms of use presented to the guest user (that I can see -- feel free to correct me if I am wrong here) so they are essentially free to use the data as they wish.
    2. This behavior works on any SharePoint online account that has sharing enabled so if this guest user has access to other SharePoint online accounts, the same behavior applies and they can harvest information from these other accounts and connect the dots as they may.  This is, of course, a compounded concern if this user is part of a coordinated set of other users who are performing similar operations.

     

    • StephenRice's avatar
      StephenRice
      Icon for Microsoft rankMicrosoft
      Mar 27, 2018

      Hi Michael DeMond,

       

      The model for ODB/SPO is that permissions/discovery occurs at the site collection level. We allow users to see other people in the site to enable easy collaboration. There's certainly a balance here though. Also, the list of people you are seeing in the upper right is actually the membership of the site, not the permission of the folder (I believe at least, depending on which list of faces you are seeing :) ).

       

      If you have any other concerns, feel free to submit a Design Change Request to the team. Thanks!

       

      Stephen Rice

      OneDrive Program Manager II

      • Michael DeMond's avatar
        Michael DeMond
        Copper Contributor
        Mar 27, 2018

        OK that sounds good Stephen.  How does one go about doing that? :)

         

        FWIW, I believe there are two scenarios for collaboration here:

        1. The external guest user is registered in the domain (this is done via Office365 or Azure Active Directory.
        2. The external guest user is not registered and their email is used to provide authentication to the document.

        In the first scenario, especially when the document is given edit permissions, I can see providing more information to this registered external guest user.  In the 2nd one, however, I think it makes more sense that the user has less access to domain information.

         

        Also, please do not lose sight of having someone's PII given to other members of a document/site without their permission.  I think if you did a survey/poll and asked external users of SharePoint/OneDrive sharing if they are OK with this, a good majority would find this surprising.  I certainly was because there is no messaging provided that this happens anywhere.

         

        That said, I would like to pursue the design change request.  Please let me know what the next step would be for this and I will certainly provide my thoughts.

         

        Thanks again!

        Michael

Resources