Attachments can be accessed without login

Avatar
  • updated
  • Under review

Any attachment I added to my personal non shared weekplan task can be accessed by anyone without login information to my account. All attacker needs to know is url of attachment.

For example I created Task "Report Weekplan security issue: attachments". I added file nonempty_test2.txt . Now anyone can access the file using url https://weekplan.s3.amazonaws.com/nonempty_test2-89694.txt .

Note the url isn't that hard to guess:

  • https://weekplan.s3.amazonaws.com/ - this is just static part same for all users (I would expect from name)
  • nonempty_text2 and .txt are derived from uploaded name "nonempty_test2.txt". This is visible from weekplan UI, so I can get that for example from screenshots on this forum with issues.
  • -89694 is number identificator than increases globally incrementally with each attachment uploaded (again assumption from observed behavior). That means if i know file name, I can download it with currently at most 89694 guesses (easily automated). If I also know at least roughly when the attachment was uploaded, I can reduce amount of guesses to probably few hundreds (since the number increases incrementally with time).

Some of the data I upload to my personal Weekplan are very sensitive for me or work related. If I am to use the service, security is critical for me.

App:
Web app
Avatar
Support Team

Attachments are being stored on an external server (Amazon S3). We have added extra random characters so it would be much harder to guess (impossible). I think that it should solve your problem.

Kind regards,

Avatar
Geeta
  • Under review

Thank you for reporting the issue. We will get back to you soon with an update.