Vulnerability affecting Shared SharePoint Site Collections

Vulnerability Description

A vulnerability has been identified affecting workspaces shared with multiple users who are not expected to be discoverable by each other. This is the case, for instance of the SharePoint App Catalog, which is a centralised location where custom apps (SPFx solutions, add-ins, and third-party apps) are stored, managed, and made available for use across SharePoint environments.

This type of centralised SharePoint site collections, require wide audiences to have "Read" access to their content. When any user, internal or external, consumes a resource from these central repositories, SharePoint automatically creates a record for them in an internal list named "User Information List", local to the site collection.

On the other hand, SharePoint has some internal APIs that may allow users to query the "User Information List", retrieving data from other users that have previously accessed the same site collection, allowing authenticated guest users to gather information from other authenticated users, or even user groups.

Atlas, as a third-party application, uses the SharePoint App Catalog. Similarly, Atlas has its own centralised repository named "AtlasConfiguration", which serves as a centralised location to store and retrieve assets such as images, templates and more.

Solution

Below are the steps that allow to prevent users with "Read" permission to see other users or user groups stored in the "User Information List" of a site collection.

The below steps must be applied to all site collections used as central repositories of resources, including and not limited to, the following, used by Atlas:

https://[your-tenant-domain].sharepoint.com/sites/atlasconfiguration

https://[your-tenant-domain].sharepoint.com/sites/appcatalog

The "AppCatalog" site may have a different name on your environment. In fact, you may have multiple app catalogs in your environment, where you may want to apply the same configuration changes to prevent users to see other users through the SharePoint APIs.

Step by Step guide

1. Browse to the site through its URL:
   1. https://[your-tenant-domain].sharepoint.com/sites/[site-name]
2. Click on Gear > "Site Permissions"
   1. 
3. Click on "Advanced permissions settings"
   1. 
4. On the tab "PERMISSIONS", click on "Permission Levels", in the "Manage" group:
   1. 
5. On the "Permission Levels" page, click on the permission level "Read" to edit it:
   1. 
6. On the "Read" permission level page, scroll down, and under section "Site Permissions", uncheck the setting "Browse User Information  -  View information about users of the Web site.". The setting "Use Self-Service Site Creation  -  Create a Web site using Self-Service Site Creation." will be automatically unchecked as well.
   1. 
7. Scroll down and click on the button "Submit"
   1. 

IMPORTANT:  In addition to the change in the Read level permission, to make it effective you should double check that no Limited access is assigned to any Read permissions group, otherwise this permissions limitation would be bypassed by the Limited Access that provides default rights to access the User Information list.

If Limited Access has been assigned to any of the relevant reader groups, that can be identified from the "Show users" link when the yellow disclaimer is shown above the advanced permissions screen as in the screenshot below.

If Limited Access is assigned, in addition to Read to a relevant group with external users, then you should track down the broken inheritance of different items in the site, remove it and ensure there is no Limited Access given by the system to that group (through the "Show these items" option). Otherwise the vulnerability will remain.