Attachments can be accessed without login

Avatar
  • mis à jour
  • À l'étude

Any attachment I added to my personal non shared weekplan task can be accessed by anyone without login information to my account. All attacker needs to know is url of attachment.

For example I created Task "Report Weekplan security issue: attachments". I added file nonempty_test2.txt . Now anyone can access the file using url https://weekplan.s3.amazonaws.com/nonempty_test2-89694.txt .

Note the url isn't that hard to guess:

  • https://weekplan.s3.amazonaws.com/ - this is just static part same for all users (I would expect from name)
  • nonempty_text2 and .txt are derived from uploaded name "nonempty_test2.txt". This is visible from weekplan UI, so I can get that for example from screenshots on this forum with issues.
  • -89694 is number identificator than increases globally incrementally with each attachment uploaded (again assumption from observed behavior). That means if i know file name, I can download it with currently at most 89694 guesses (easily automated). If I also know at least roughly when the attachment was uploaded, I can reduce amount of guesses to probably few hundreds (since the number increases incrementally with time).

Some of the data I upload to my personal Weekplan are very sensitive for me or work related. If I am to use the service, security is critical for me.

App:
Web app
Avatar
Geeta
  • À l'étude

Thank you for reporting the issue. We will get back to you soon with an update. 

Avatar
Support Team

Attachments are being stored on an external server (Amazon S3). We have added extra random characters so it would be much harder to guess (impossible). I think that it should solve your problem.

Kind regards,