SOLVED

User breached permissions via sharing link - Please help!

%3CLINGO-SUB%20id%3D%22lingo-sub-1343332%22%20slang%3D%22en-US%22%3EUser%20breached%20permissions%20via%20sharing%20link%20-%20Please%20help!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1343332%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all.%20I've%20never%20EVER%20seen%20a%20SharePoint%20permission%20breached%20unless%20user%20error%20is%20involved.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20this%20scenario%2C%20a%20user%20(user1)%20shared%20a%20video%20via%20a%20sharing%20link%20'Specific%20people%20only'.%20One%20of%20the%20recipients%20(user2)%20forwarded%20this%20to%20a%20number%20of%20users%20one%20of%20whom%20(user3)%20attempted%20to%20open%20the%20link%20which%20opened%20the%20box%20shown%20in%20the%20image%20below%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Capture.PNG%22%20style%3D%22width%3A%20774px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F187143iE11F5C99A9CE0B26%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Capture.PNG%22%20alt%3D%22Capture.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EUser3%20clicked%20'Next'%20which%20took%20them%20to%20a%20page%20where%20they%20were%20invited%20to%20enter%20an%20email%20address.%20They%20entered%20their%20own%20email%20address%20and%20received%20access%20denied%20(as%20expected).%20However%2C%20when%20they%20entered%20the%20email%20address%20of%20user2%2C%20they%20were%20granted%20access%20and%20were%20able%20to%20see%20the%20video.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAt%20no%20point%20did%20User3%20enter%20the%20password%20of%20User2.%3C%2FP%3E%3CP%3EUser1%20did%20not%20grant%20access%20to%20User3.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20anyone%20suggest%20what%20might%20have%20happened%20here%3F%20I%20cannot%20get%20the%20box%20shown%20in%20the%20image%20above%20to%20appear%20and%20therefore%20I%20cannot%20fully%20replicate%20the%20issue%20at%20this%20time.%20I%20wonder%20if%20this%20is%20a%20bug%20with%20the%20option%20to%20enter%20an%20email%20address%20bypassing%20the%20requirement%20for%20a%20password%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1343332%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EPermissions%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1346548%22%20slang%3D%22en-US%22%3ERe%3A%20User%20breached%20permissions%20via%20sharing%20link%20-%20Please%20help!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1346548%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F553040%22%20target%3D%22_blank%22%3E%40Kotus-Tech%3C%2FA%3E%26nbsp%3BI%20feel%20like%20this%20is%20a%20test%20with%20a%20trick%20question%20%3A)%3C%2Fimg%3E%20Did%20user3%20use%20the%20same%20workstation%20as%20user2%3F%20That's%20the%20only%20explanation%20I%20can%20think%20of...%20You%20can't%20authenticate%20if%20you%20don't%20provide%20credentials%20so%20the%20only%20thing%20I%20can%20think%20of%20is%20that%20the%20user%20did%20not%20authenticate%20at%20all%20because%20the%20authentication%20had%20already%20taken%20place...%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1346717%22%20slang%3D%22en-US%22%3ERe%3A%20User%20breached%20permissions%20via%20sharing%20link%20-%20Please%20help!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1346717%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F634198%22%20target%3D%22_blank%22%3E%40talpeer%3C%2FA%3ELOL%20I'm%20glad%20it%20isn't%20just%20me!%20Apparently%20the%20machine%20contained%20no%20other%20user%20details.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20going%20to%20write%20this%20off%20as%20a%20user%20error%2C%20I%20cannot%20see%20any%20possibility%20that%20permissions%20were%20breached%20in%20this%20manner.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Contributor

Hi all. I've never EVER seen a SharePoint permission breached unless user error is involved.

 

In this scenario, a user (user1) shared a video via a sharing link 'Specific people only'. One of the recipients (user2) forwarded this to a number of users one of whom (user3) attempted to open the link which opened the box shown in the image below:

 

Capture.PNG

User3 clicked 'Next' which took them to a page where they were invited to enter an email address. They entered their own email address and received access denied (as expected). However, when they entered the email address of user2, they were granted access and were able to see the video.

 

At no point did User3 enter the password of User2.

User1 did not grant access to User3.

 

Can anyone suggest what might have happened here? I cannot get the box shown in the image above to appear and therefore I cannot fully replicate the issue at this time. I wonder if this is a bug with the option to enter an email address bypassing the requirement for a password?

2 Replies
Highlighted

@Kotus-Tech I feel like this is a test with a trick question :) Did user3 use the same workstation as user2? That's the only explanation I can think of... You can't authenticate if you don't provide credentials so the only thing I can think of is that the user did not authenticate at all because the authentication had already taken place... 

 

 

Highlighted
Best Response confirmed by Kotus-Tech (Contributor)
Solution

@talpeerLOL I'm glad it isn't just me! Apparently the machine contained no other user details.

 

I am going to write this off as a user error, I cannot see any possibility that permissions were breached in this manner.