At a company I worked at recently, I ran across a Sharepoint site and wondered whether I could download data that I wasn’t supposed to see.
Now I understand the purpose of SharePoint and company intranets is to share data, but even then, some data should be restricted to a limited number of people.
So I decided to check (before doing things like this, you better know How to Stay Out of Jail).
Location: Company Intranet
The site was on a company intranet, where you could leave questions about a product and an admin would respond within a couple days.
The questions and answers were the only fields visible in the List view. From what I could tell, this site was using SharePoint Foundations 2010.
The site said that questions could be left anonymously, which is what raised my eyebrows.
What is the chance of being on a local network, logged in as an Active Directory user on SharePoint, and being able to anonymously leave a message? Mostly none.
The first thing I had to do was find the Excel button. To display this, I clicked on Show all Content, then Lists (the questions were stored as lists, which kind of look like SharePoint tasks, if you’re familiar with them).
Then I saw the Export to Excel button. When I clicked it, I exported the same information I could see on the site, which was just Question and Answer.
Next I tried the Export to Access button, and then reviewed the data provided.
I was able to see fields that I couldn’t see in SharePoint, including the ID of the person who posted the question, and 3 other fields that I wasn’t supposed to see, such as draft responses and management’s comments about them– most of it wasn’t sensitive data, but it wasn’t mean to be public either.
SharePoint Alert Bonus
Then I decided to try the SharePoint Alert feature, which you can configure to alert you of any changes to a SharePoint page.
I wondered whether I would see all the fields that I saw in my Access database download.
I didn’t have to wait very long, as this was a busy site.
Every time someone posted a new question, drafted or revised a response, commented or approved a response, or published the final response, I received an email that contained all the fields, including the ones I should not be able to see.
The email also contained links back to the original item on the SharePoint site, which displayed all the fields that were in the email.
I noticed that when I clicked on the Item link in the email, the resulting page displayed, along with all the other fields, such as the account that posted the question (e.g., Domain/Mack01).
I also noticed that on the Mobile View link, the poster’s full name was displayed instead of the account (e.g., Mack Miller*).
No, that’s not my real last name…
At this point, all I had to do to see all the data for any question was simple URL manipulation. To see item 43, I changed the last part of the URL to “ID?43”. Very simple and convenient.
4 Bothersome Issues
1) Supposed Anonymity
So 4 things bothered me: First, that users were told the questions were anonymous, when they were not.
Visitors to the site could not see who posted the question, but I’m assuming the site admins answering the questions could see the user’s ID and name.
Some of the questions and comments about the product were negative and even flippant, which you tend to get more of when people think they are anonymous.
How do those who run the site use that information? Do they truly ignore who left the comments? Do they withhold the poster’s IDs only to ensure more frank comments?
Or could a certain comment become a career limiting move when it is passed onto HR?
Take away: Don’t trust promises regarding anonymity, especially on a company network. Or any network. Especially the internet.
2) Inappropriate Content
Second, the admins providing the draft responses and the team leads and managers reviewing and approving the responses were totally unaware that all their comments forth and back, including unknown issues with the product and their jokes about it, were really public.*
*Public in the sense that it was available to anyone who knew how to view it.
In this case, the jokes and comments posted by the admins (to each other) were inappropriate and careless. Some of them made fun of the people submitting the questions. Some of them were jabs at other admins.
It is ironic that the same lack of privacy that the admins promised the employees was also missing for the admins.
3) Lack of SharePoint Training
These kinds of security issues are caused often by a lack of training or simple mistakes, but usually because of poor training. And poor enforcement of standards.
I’ve been told that SharePoint has site permissions as well as individual permissions on lists, blogs, and other sections of the site.
Evidently the sections inherit the permissions set up for the site, but each section’s security can be customized, and when a section is customized, changes to the overall site’s permissions no longer roll down.
However, the permissions that govern which fields can be downloaded into Access are not configured properly (Excel download was not an issue).
Also, since the alerts also provided the same fields, it appears a higher level permission was missed somewhere.
I’d appreciate if someone with a better understanding of SharePoint permissions would provide their opinion of what might have happened. Either way, it was a security failure.
My assumption is that whoever set up the list feature didn’t know about the other features that could be used to obtain the restricted fields in the normal list view.
That’s why a good security practice is to use a non-privileged account to test all the features that can access your data. And when you do the testing, don’t just test what a typical user can see, but what a typical user COULD SEE if he really knew what he was doing.
Remember to test these items in your next Sharepoint audit.
4) Easy for Anyone
Fourth, and the thing that bothered me the most, is that how the SharePoint Alert function made it easy for anyone to stumble upon this nonpublic information.
As a result, I often configure these alerts for all the Sharepoint sites I use, especially those that use surveys and lists.
While I have observed in many companies in which I audit that most people are unaware of the alert feature and don’t use it, the more tech-savy people are aware of it. And they use it.
My point is that most of the population is not going to look for and try download buttons and URL manipulation, but anyone can configure an alert and receive this kind of data.
Moral: If you use SharePoint, make a point not to share what should be private.