Microsoft-graph-docs: Graph showing data from other customers, possible security breach
Issue:
Microsoft Graph is showing files that we do not have access to. We are getting usernames and filenames in the Microsoft Graph of files that are from other Office 365 tenants were we do not have access to or have any relationship with. When we try to open the link they access is denied.
I don't think it is good to put the output of the Graph Explorer here, because it contains personal information of Microsoft Customers that I don't know.
I've try'd to talk to Office 365 support, but they wanted me to post the problem here.
In my opinion this is vulnerability and goes against the GDPR law.
Vullers
All 6 comments
I too believe this is a security breach happening in the /drive endpoint of the Graph API.
We are using /me/drive/sharedWithMe and found this problem in both v1.0 and beta endpoint
lennertcc
on 17 Jul 2018
Apparently the Office 365 support department finally sees the urgency of this problem and is asking me to test again. Now I do not see information about other customers. @Crispify can you try again too ?
Vullers
on 17 Jul 2018
Indeed, not seeing results from other tenants anymore.
lennertcc
on 17 Jul 2018
Hi @Vullers can you direct email [email protected] with specifics( if you could provide exact repro steps also) as this gets the appropriate eng team. We are not specifically sure if you are seeing sample data or something else as this is not repro.
CelticCoder
on 17 Jul 2018
@CelticCoder I have send the email on how I got the results. This now is not possible anymore, also an escalation manager at Microsoft is working on this as well, maybe team up and investigate this further?
I can also assure you that this was not example / sample / demo data, this was real data, I've verified the people that were showing in the Graph output.
Vullers
on 18 Jul 2018
There was an internal incident escalation on this. The issue was resolved last week. I apologize for not coming back to this thread to update here. I know that there was engagement with people on this thread directly via email.
jthake-msft
on 25 Jul 2018
Related issues
nchdl
路
4Comments
bijithbalan
路
4Comments
climam
路
4Comments
abhatt29
路
4Comments
fredericklin
路
3Comments
Most helpful comment
@CelticCoder I have send the email on how I got the results. This now is not possible anymore, also an escalation manager at Microsoft is working on this as well, maybe team up and investigate this further?
I can also assure you that this was not example / sample / demo data, this was real data, I've verified the people that were showing in the Graph output.