Make thumbnail private to prevent data leak

%3CLINGO-SUB%20id%3D%22lingo-sub-782115%22%20slang%3D%22en-US%22%3EMake%20thumbnail%20private%20to%20prevent%20data%20leak%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-782115%22%20slang%3D%22en-US%22%3E%3CP%3EProblem%3A%3CBR%20%2F%3EThe%20first%20page%20of%20a%20document%20is%20publicly%20accessible%20having%20the%20link%20to%20the%20thumbnail.%20The%20link%20has%20an%20access_token%20in%20it%20and%20with%20it%2C%20it%20is%20even%20possible%20to%20download%20the%20whole%20document.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20prevent%20data%20leak%2C%20please%20leave%20the%20thumbnails%20on%20the%20tenant%20and%20not%20on%20a%20public%20accessible%20%22westeurope1-mediap.svc.ms%2Ftransform%2Fthumbnail%22%20server%20with%20a%20deeplink%20to%20the%20file.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20the%20past%20weeks%20we%20learned%20on%20the%20news%20that%20simple%20browser%20plug-ins%20can%20send%20these%20links%20to%20other%20servers.%20So%20the%20risk%20for%20leaking%20these%20links%20and%20finally%20sensitive%20data%20is%20huge.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20it%20is%20not%20possible%20to%20leave%20thumbnails%20on%20the%20tenant%2C%20consider%20making%20it%20possible%20to%20opt-out%20from%20this%20feature%20in%20the%20admin%20pages.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETill%20then%2C%20only%20thing%20to%20do%20is%20using%20always%20a%20coverpage%20as%20a%20first%20page%20in%20a%20document.%20Don't%20take%20pictures%20with%20sensitive%20data%20on%20them.%20But%20having%20done%20all%20this%2C%20the%20access_token%20in%20the%20link%20will%20not%20prevent%20from%20someone%20obtaining%20the%20link%20to%20download%20the%20whole%20document.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20did%20not%20test%20for%20how%20long%20the%20token%20is%20valid.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EExamples%20of%20places%20i%20tested%20that%20make%20this%20thumbnail%20files%3A%3CBR%20%2F%3E1.%20Internal%20(not%20shared)%20document%20on%20a%20SharePoint%20site%3A2.%20Personal%20OneDrive%20folder.3.%20Personal%20OneDrive%20folder%20image%20upload.4.%20To%20my%20surprise%20the%20problem%20extends%20also%20to%20outlook.office.com%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EScreenshots%20as%20I%20cannot%20post%20links%20with%20the%20access_token%20in%20them%3A%3C%2FP%3E%3CP%3E1.%20%3CA%20href%3D%22https%3A%2F%2Fdc704.4shared.com%2Fimg%2Fp7LskMDPfi%2Fs25%2F16c491b6d70%2F1_online%3FisRedirect%3Dtrue%26amp%3B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdc704.4shared.com%2Fimg%2Fp7LskMDPfi%2Fs25%2F16c491b6d70%2F1_online%3FisRedirect%3Dtrue%26amp%3B%3C%2FA%3E%3CBR%20%2F%3E2.%20%3CA%20href%3D%22https%3A%2F%2Fdc704.4shared.com%2Fimg%2FoA-Ns4slda%2Fs25%2F16c491b65a0%2F3_online%3FisRedirect%3Dtrue%26amp%3B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdc704.4shared.com%2Fimg%2FoA-Ns4slda%2Fs25%2F16c491b65a0%2F3_online%3FisRedirect%3Dtrue%26amp%3B%3C%2FA%3E%3CBR%20%2F%3E3.%20%3CA%20href%3D%22https%3A%2F%2Fdc704.4shared.com%2Fimg%2FoA-Ns4slda%2Fs25%2F16c491b65a0%2F3_online%3FisRedirect%3Dtrue%26amp%3B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdc704.4shared.com%2Fimg%2FoA-Ns4slda%2Fs25%2F16c491b65a0%2F3_online%3FisRedirect%3Dtrue%26amp%3B%3C%2FA%3E%3C%2FP%3E%3CP%3E4.%20The%20thumbnail%20link%20from%20outlook%20expires%20after%20a%20short%20amount%20of%20time%2C%20but%20still%2C%20it's%20ridiculous.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20test%20it%20yourself%20in%20any%20browser.%20See%20on%20the%20following%20screenshot%20where%20to%20find%20the%20deeplink%3A%20%3CA%20href%3D%22https%3A%2F%2Fdc593.4shared.com%2Fimg%2F1KkldLRxda%2Fs25%2F16c49307440%2FHow_To_Get_Thumbnail%3FisRedirect%3Dtrue%26amp%3B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdc593.4shared.com%2Fimg%2F1KkldLRxda%2Fs25%2F16c49307440%2FHow_To_Get_Thumbnail%3FisRedirect%3Dtrue%26amp%3B%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELinks%20look%20like%20this%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwesteurope1-mediap.svc.ms%2Ftransform%2Fthumbnail%3Fprovider%3Dspo%26amp%3BinputFormat%3Dpdf%26amp%3Bcs%3DfFNQTw%26amp%3Bdocid%3Dhttps%253A%252F%252F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwesteurope1-mediap.svc.ms%2Ftransform%2Fthumbnail%3Fprovider%3Dspo%26amp%3BinputFormat%3Dpdf%26amp%3Bcs%3DfFNQTw%26amp%3Bdocid%3Dhttps%253A%252F%252F%3C%2FA%3E%3CSTRONG%3E___DOMAIN___%3C%2FSTRONG%3E.sharepoint.com%253A443%252F_api%252Fv2.0%252Fdrives%252Fb!m2Xa-PkPGke3NksFN2FU01Ff_pxP-AJMik3hXghVjYkmGmeNmVF9SLq9eRUEzFx0%252Fitems%252F01WTLDZYGDSBIX3KG5C5DKNAVEAR3G2262%253Fversion%253DDraft%26amp%3Baccess_token%3D%3CSTRONG%3E______TOKEN_______%3C%2FSTRONG%3E%26amp%3BencodeFailures%3D1%26amp%3BsrcWidth%3D%26amp%3BsrcHeight%3D%26amp%3Bwidth%3D2000%26amp%3Bheight%3D2000%26amp%3Baction%3DPreview%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fattachments.office.net%2Fowa%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fattachments.office.net%2Fowa%2F%3C%2FA%3E%3CSTRONG%3E____MAILBOX_____%3C%2FSTRONG%3E%2Fservice.svc%2Fs%2FGetAttachmentThumbnail%3Fid%3D%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-782115%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESharePoint%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Occasional Visitor

Problem:
The first page of a document is publicly accessible having the link to the thumbnail. The link has an access_token in it and with it, it is even possible to download the whole document. 

 

To prevent data leak, please leave the thumbnails on the tenant and not on a public accessible "westeurope1-mediap.svc.ms/transform/thumbnail" server with a deeplink to the file.

 

In the past weeks we learned on the news that simple browser plug-ins can send these links to other servers. So the risk for leaking these links and finally sensitive data is huge.

 

If it is not possible to leave thumbnails on the tenant, consider making it possible to opt-out from this feature in the admin pages.

 

Till then, only thing to do is using always a coverpage as a first page in a document. Don't take pictures with sensitive data on them. But having done all this, the access_token in the link will not prevent from someone obtaining the link to download the whole document.

 

I did not test for how long the token is valid.

 

Examples of places i tested that make this thumbnail files:
1. Internal (not shared) document on a SharePoint site:
2. Personal OneDrive folder.
3. Personal OneDrive folder image upload.
4. To my surprise the problem extends also to outlook.office.com

 

Screenshots as I cannot post links with the access_token in them:

1. https://dc704.4shared.com/img/p7LskMDPfi/s25/16c491b6d70/1_online?isRedirect=true&
2. https://dc704.4shared.com/img/oA-Ns4slda/s25/16c491b65a0/3_online?isRedirect=true&
3. https://dc704.4shared.com/img/oA-Ns4slda/s25/16c491b65a0/3_online?isRedirect=true&

4. The thumbnail link from outlook expires after a short amount of time, but still, it's ridiculous.

 

You can test it yourself in any browser. See on the following screenshot where to find the deeplink: https://dc593.4shared.com/img/1KkldLRxda/s25/16c49307440/How_To_Get_Thumbnail?isRedirect=true&

 

Links look like this:

https://westeurope1-mediap.svc.ms/transform/thumbnail?provider=spo&inputFormat=pdf&cs=fFNQTw&docid=h...___DOMAIN___.sharepoint.com%3A443%2F_api%2Fv2.0%2Fdrives%2Fb!m2Xa-PkPGke3NksFN2FU01Ff_pxP-AJMik3hXghVjYkmGmeNmVF9SLq9eRUEzFx0%2Fitems%2F01WTLDZYGDSBIX3KG5C5DKNAVEAR3G2262%3Fversion%3DDraft&access_token=______TOKEN_______&encodeFailures=1&srcWidth=&srcHeight=&width=2000&height=2000&action=Preview

 

https://attachments.office.net/owa/____MAILBOX_____/service.svc/s/GetAttachmentThumbnail?id=

 

0 Replies