I was recently tasked with developing a web application which pulls calendar information from a Microsoft Exchange system, and then displays it in a web interface. The primary use of this interface was to view shared calendars without having to use Outlook. To pull the information from Exchange, I used EWS; The same protocol which OSX machines use to integrate with Exchange, and which Outlook for Mac uses.
Once the app was up and running, somebody pointed out to me that appointments which appeared as “Private Appointment” in Outlook, actually appeared with their full summary and description when viewed in my application! This can’t be… I am logging in over EWS with the users supplied credentials, not some super system user that has full access to read peoples private appointments… They should only see the same thing that they see when using Outlook…
My immediate thought was that this must be a vulnerability and would need to be reported to Microsoft. However, it turns out Microsoft already know about it:
“Important You should not rely on the Private feature to prevent other people from accessing the details of your appointments, contacts, or tasks. To make sure that other people cannot read the items that you marked as private, do not grant them Reviewer (can read items) permission to your Calendar, Contacts, or Tasks folder. A person who is granted Reviewer (can read items) permission to access your folders could use programmatic methods or other e-mail programs to view the details of a private item. Use the Private feature only when you share folders with people whom you trust.”
Most people would expect that if you share a calendar with somebody, they can’t see the appointments which you mark as private. Especially considering that Outlook and OWA behave that way. It would take me less than a day to write a web app which allows somebody to enter the hostname of an Exchange system, their username, their password, and the username of somebody else on that system who has shared their calendar, and for it to then simply display all of their private appointments. The only difference between a public appointment and a private appointment, is that when Exchange sends the full details of a private appointment, it has a little property to tell you that it is private and so you probably shouldn’t show it to the end user.
Rather than relying on the client to hide private appointments, or obfuscate them (as Outlook does), Exchange should do that before sending it down to the client. I can’t think of one good reason why Exchange doesn’t already do this… Can you?
P.S. Although I only talk about calendars and appointments, Microsofts comment (quoted above) suggests that the same can be said for private tasks and private contacts. I have not witnessed this myself, but I assume that is the case.