Planner Leak Allows External Recipients to Receive Task Comments

How to Share Sensitive Information Outside Your Tenant Through Planner Comments

Planner is the Office 365 group-based task management app. I like it a lot and the Office 365 for IT Pros team uses Planner to track things we need to do for the book, including importing Office 365 notifications as they appear in the Microsoft 365 message center. Sometimes the Planner developers can be accused of not telling people about new developments in the app, but here’s an example of where something in the app just doesn’t work the way it should.

A recent request by Mike Tilson on Planner User Voice asks Microsoft to close off what he considers a potential security issue. The issue is easy to reproduce.

• Create a new task in a plan and assign it to someone in the team.
• Add a comment to the task. Depending on the email distribution settings for the underlying Microsoft 365 group, team members will receive an email with the comment. Alternatively, they can open the group mailbox to see the messages containing the comments there.
• Reply to the message with the comment. Normally the message will go back to the person who created the comment and the Microsoft 365 group. Before you send the message, add the email address of someone else outside your tenant (not a guest account in the tenant).
• The external recipient receives the comment and any further comment added to the task. They can reply to the messages they receive with comment updates and those responses are added as comments to the task, which is what you can see in Figure 1.

Figure 2 shows the message thread as viewed by the external recipient. It’s obvious that they could learn about some sensitive information through this mechanism.

Obviously, people shouldn’t be able to add external recipients to task comments. The only people who should see this information are members of the team, which could include guests.

No Way to Fix the Problem

The big problem is that once an external recipient is added in this manner, there’s no way to highlight that an external person is receiving comment updates, nor can the plan owners remove the external recipient.

According to the user voice post, the problem was reported to Microsoft in a support ticket and the response came back that Planner is working “by design.” I can’t understand the logic of such an answer. There’s no good reason for anyone to design an app that allows possibly sensitive information to leak outside an organization without any method to prevent this happening or close the hole once it does. That doesn’t sound like normal Microsoft practice and it’s certainly not the response I would expect or accept from a product group.

It might be the case that the support agent handling the problem did not understand the potential impact that such a leak could have, but I think it’s more probable that the development group never anticipated that anyone would add an external recipient to a message containing comments and therefore did not think through what might then happen.

Vote for Change

If you’re concerned about this situation, please upvote the user voice request. I’ll share this information with some people who might take a more proactive stance than the support response. Let’s hope that this hole can be closed soon.