SOLVED

Backdoor for Guest Users to see unauthorized Private Channel Files within a Team

%3CLINGO-SUB%20id%3D%22lingo-sub-1415873%22%20slang%3D%22en-US%22%3EBackdoor%20for%20Guest%20Users%20to%20see%20unauthorized%20Private%20Channel%20Files%20within%20a%20Team%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1415873%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20a%20situation%20where%20Guest%20users%20can%20see%20content%20they%20have%20not%20been%20given%20access%20to.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESituation%3A%26nbsp%3B%3C%2FP%3E%3CP%3E-%20I%20have%20an%20MS%20Team%3C%2FP%3E%3CP%3E-%20It%20has%20two%20Private%20Channels%3A%20Alpha%20and%20Bravo%3C%2FP%3E%3CP%3E-%20A%20guest%20users%20is%20added%20to%20Alpha%20but%20can%20see%20the%20content%20in%20Bravo%20via%20one%20of%20two%20methods%3A%3C%2FP%3E%3COL%3E%3CLI%3EClicking%20the%20%22Purple%22%20Files%20tab%20on%20the%20left%20hand%20side%20of%20Teams%20interface%20(under%20Activity%2C%20Chat%2C%20Team%20etc)%3C%2FLI%3E%3CLI%3EBy%20going%20Alpha%20channel%20%26gt%3B%20Files%20(grey%20button)%20%26gt%3B%20clicking%20the%20Open%20in%20Sharepoint%20button%20%26gt%3B%20navigating%20to%20the%20to%20top%20of%20the%20folder%20path%20(or%20clicking%20Documents)%2C%20and%20then%20being%20able%20to%20access%20Bravo%20content%3C%2FLI%3E%3C%2FOL%3E%3CP%3EHas%20anyone%20had%20issues%20with%20this%20or%20know%20of%20a%20fix%3F%20I'm%20guessing%20its%20a%20sharepoint%20permissions%20issue%20specific%20to%20guest%20users%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1415873%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EGuest%20User%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPrivate%20Channels%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharepoint%20Permissions%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ETeams%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1416004%22%20slang%3D%22en-US%22%3ERe%3A%20Backdoor%20for%20Guest%20Users%20to%20see%20unauthorized%20Private%20Channel%20Files%20within%20a%20Team%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1416004%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F72542%22%20target%3D%22_blank%22%3E%40adam%20deltinger%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EScenario%20-%20we%20have%20a%20team%20-%20lets%20call%20it%20Blue%20Team.%20In%20it%20are%20a%20series%20of%20projects.%20Each%20project%20has%20its%20own%20private%20channel.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPeople%20in%20the%20channel%20are%20a%20mix%20of%20employees%20and%20consultants%20(guests).%20We%20have%20found%20the%20guests%20can%20access%20the%20%22Files%22%20(sharepoint%20saved%20content)%20of%20the%20various%20private%20teams%2C%20even%20though%20they%20have%20not%20been%20given%20membership.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThey%20are%20all%20private%20channels%2C%20the%20general%20folder%20is%20100%25%20empty%20and%20was%20never%20used%20and%20the%20Guests%20are%20definently%20not%20in%20both%20channels%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22SamG_A_0-1590407560364.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F194247iAD503A5D833FCC45%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22SamG_A_0-1590407560364.png%22%20alt%3D%22SamG_A_0-1590407560364.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22SamG_A_1-1590407844913.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F194249i4D88068D29B6E05C%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22SamG_A_1-1590407844913.png%22%20alt%3D%22SamG_A_1-1590407844913.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1415899%22%20slang%3D%22en-US%22%3ERe%3A%20Backdoor%20for%20Guest%20Users%20to%20see%20unauthorized%20Private%20Channel%20Files%20within%20a%20Team%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1415899%22%20slang%3D%22en-US%22%3EThis%20shouldn%E2%80%99t%20be%20possible%20because%20private%20channels%20aren%E2%80%99t%20in%20the%20same%20site%20collections!%20Therefore%20you%20shouldn%E2%80%99t%20be%20able%20to%20browse%20I%20SharePoint%20and%20find%20the%20other%20private%20channel%20there!%20You%20sure%20they%20are%20private%20channels%3F%20Can%20you%20please%20explain%20the%20scenario%20and%20send%20images%20of%20the%20setup!%3F%3CBR%20%2F%3E%3CBR%20%2F%3EAdam%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi

 

I have a situation where Guest users can see content they have not been given access to.

 

Situation: 

- I have an MS Team

- It has two Private Channels: Alpha and Bravo

- A guest users is added to Alpha but can see the content in Bravo via one of two methods:

  1. Clicking the "Purple" Files tab on the left hand side of Teams interface (under Activity, Chat, Team etc)
  2. By going Alpha channel > Files (grey button) > clicking the Open in Sharepoint button > navigating to the to top of the folder path (or clicking Documents), and then being able to access Bravo content

Has anyone had issues with this or know of a fix? I'm guessing its a sharepoint permissions issue specific to guest users?

6 Replies
Highlighted
This shouldn’t be possible because private channels aren’t in the same site collections! Therefore you shouldn’t be able to browse I SharePoint and find the other private channel there! You sure they are private channels? Can you please explain the scenario and send images of the setup!?

Adam
Highlighted

@adam deltinger 

 

Scenario - we have a team - lets call it Blue Team. In it are a series of projects. Each project has its own private channel.

 

People in the channel are a mix of employees and consultants (guests). We have found the guests can access the "Files" (sharepoint saved content) of the various private teams, even though they have not been given membership.

 

They are all private channels, the general folder is 100% empty and was never used and the Guests are definently not in both channels

 

SamG_A_0-1590407560364.png

 

SamG_A_1-1590407844913.png

 

 

Highlighted

@SamG_A Is the first picture you have attached from the guest user? If so it looks like the guest user is member of both private channels since they are both visible in the team.

Highlighted
Yeah Good point! Please go through the member settings once more or check SP explicit permissions too
Highlighted
Hi - no its not. Its the admin.

The guest user is not in Bravo and cannot see Bravo in that screenshot (sorry don't have a pic but it is confirmed)
Highlighted
Best Response confirmed by SamG_A (Occasional Contributor)
Solution

@adam deltinger  We resolved the issue.

 

Team Bravo was originally created before Private Channels came into existence last year. The original channel was a public channel.

 

After private channels came out the follow happened:

  • a new private channel was created with a similar name
  • the Files content was copied across
  • the old public channel was deleted in Teams

 

Unbeknownst to us, the public channel Files content is not deleted from Sharepoint when a channel is deleted in Teams.

 

What was happening is that new guest users were able to access this residual public channel content. It appeared like current private team content because it had the same name and content up to the date is was migrated.