Security concerns around 404 Response for unauthorised users
In recent discussions with a customer concerns were voiced around how SharePoint responds to requests for unauthenticated users.
In particular when hitting a URL for a site collection that does exist vs one that doesn't.
/sites/bar exists on the tenancy.
/sites/foo does not exist on the tenancy
When an unauthenticated user hits /sites/bar they get an auth challenge.
When an unauthenticated user hits /sites/foo they get a very basic 404
This behaviour makes it possible for unauthorised users to sniff around to understand what sites exist and what sites do not. This is a potential security risk as unauthorised users could arguably use trial and error to map out a company's information architecture and locate commercially sensitive or confidential site collections.
Is there any way that this can be made consistent (i.e. auth challenge for unauthorised users) to avoid this situation?
Aleksandr Sapozhkov commented
hi, I totally agree that this is a serious issue and I described it in a bit more details here: https://www.linkedin.com/pulse/sharepoint-404-security-issue-aleksandr-sapozhkov. A related issue is that other Office 365 services are also vulnerable so it does not make much sense to only fix one problem but not the others. For example, there are ways to enumerate user account names: https://www.trustedsec.com/blog/owning-o365-through-better-brute-forcing/