Attachments can be accessed without login
Any attachment I added to my personal non shared weekplan task can be accessed by anyone without login information to my account. All attacker needs to know is url of attachment.
For example I created Task "Report Weekplan security issue: attachments". I added file nonempty_test2.txt . Now anyone can access the file using url https://weekplan.s3.amazonaws.com/nonempty_test2-89694.txt .
Note the url isn't that hard to guess:
- https://weekplan.s3.amazonaws.com/ - this is just static part same for all users (I would expect from name)
- nonempty_text2 and .txt are derived from uploaded name "nonempty_test2.txt". This is visible from weekplan UI, so I can get that for example from screenshots on this forum with issues.
- -89694 is number identificator than increases globally incrementally with each attachment uploaded (again assumption from observed behavior). That means if i know file name, I can download it with currently at most 89694 guesses (easily automated). If I also know at least roughly when the attachment was uploaded, I can reduce amount of guesses to probably few hundreds (since the number increases incrementally with time).
Some of the data I upload to my personal Weekplan are very sensitive for me or work related. If I am to use the service, security is critical for me.
Thank you for reporting the issue. We will get back to you soon with an update.