File name for attachments

#1

I see Infinity with a lot of potentials and with just a few little things updated it could be used to resolve many important jobs in my larger team.

One of the little things is the displayed filename in various views (Table, Columns etc).

From the screenshot of a Table view below, you see there are multiple files attached to an item.

  1. How does an user determine which icon reflects which specific file?
  2. With mouse over, the browser shows the direct URL (on AWS) to the file with a random filename. With the randomized filenames, the user still cannot determine which specific file it is.
  3. In the item’s detailed view, only the first 10 characters or so of the file name are displayed.
  4. In the Columns view, the filename is simply missing, even when the atttribute is enabled.

Suggestion: Display the filenames with mouse over or replace the icons with the file names.

Also an extended question to (2) but not related to the filename display, is anyone with the link could open the file without having access to Infinity. So the files are not access controlled. That’s a huge security concern in a multi-team or multi-company collaboration environment. Until integrations to the various cloud drives are done, It probably should at least be masked and redirected only through Infinity.

But what are those files? How does an user tell which file to use?

image

0 Likes

#2
  1. In table view I can see the full name when I hover over the icon and wait for 2-3 seconds. So part of your suggestion is already implemented :wink: Though it doesn´t work in the item-detailed-view. I agree that should be more consistent. I would also suggest that the filename is shown quicker, so if you need to check out 5 pdfs you don´t have to spend 10-15 seconds on it. For images it´s easy to see, because you have the thumbnails.
    I disagree with you on replacing the icons with the file names, because this would need too much space to display. It might be a good idea for the detailed for pdfs and other text documents to use a list of attachments. But it´s not a good idea for pictures.

  2. As far as I can see, the files are not access controlled. I can open my files using the aws-link whether I´m logged in or not. And also they are not deleted on aws when I delete them on infinity, which is probably due to backup/restore reasons. But the access for everyone that knows the link has to be changed especially in regards to GDPR.

1 Like

#3

I just did some testing and found that hover does work under Firefox but not for Safari (macOS).

0 Likes

#4

Hey guys! @j11, @micck!

I’ll make sure to forward this issue to the team and see what we can do about this. :slight_smile:

I’m especially concerned about the security stuff (accessing the file/AWS).

Thank you very much, details like these are really helpful!

0 Likes

#5

Regarding the security issue: While I cannot easily retrieve the AWS link through infinity as easy as before, I still can access any attachment without login on to AWS as long as I know the link structure: https://###########.amazonaws.com/item-files/digit-code/letter-code.file-ending So still anyone with the link can access my data. I´m not sure whether that means that any robot scanning your AWS address will also be able to access, but I assume that it´s possible, because it´s not password protected. So that´s probably still a no go for confident business data, not to speak of personal data especially payment information in regards to GDPR.

2 Likes

#6

This has been put into “Urgent” column, guys. Thanks for all the effort.

We’re definitely fixing this in the upcoming days.

2 Likes

#7

Great pickup! Glad this is getting sorted!

1 Like

#8

@micck - thank you for finding this huge security issue.
@coa For me this finding is an absolute nightmare, because it means everyone can access sensitive data from every Infinity user. Why and how? Let me explain:

The link shows a few important facts for an attacker:
1.) the AWS datacenter used by Infinity
2.) (as it looks to me) a unique user or workspace number (micck called this the digit-code)
3.) Also the letter code seems to have a fixed length or at least a length range

So what could happen here is: an attacker could spawn a few hundred AWS Lambda instances in the same AWS datacenter and brute force every combination for files to get all files from every Infinity user. Because the attacker would be located in the same datacenter this attack would run at an incredible speed. AWS doesn’t charge for traffic which occurs in the same datacenter so this attack is very cheap. And the Infinity team wouldn’t have any chance to detect or stop this (because these requests and the traffic are completely handled by Amazon beside any checks from the infinity servers).

How to fix this? (I hope I can give some advice - I just want to help)
1.) The infinity team has to code some kind of proxy file for their server. Every file link has to point to this proxy file instead directly to AWS S3 -> https://startinfinity.com/proxy?workspace=digit-code&file=letter-code.file-ending
2.) All S3 storage on AWS must be set to private - no external access allowed
3.) Only the proxy code should know the credentials to access the S3 storage
4.) When some requests a file from the proxy it has to check if the user is logged in and has the needed right to access these files (no possibility to access other users files) and then it could deliver/stream the requested file back to the user.

This change should be possible in less then a week. I think the Infinity team must inform every user that there was a chance someone already has accessed all files.

I really need a statement from the Infinity regarding this issue. I hope fixing this issue is the highest priority at the moment.

1 Like

#9

I hope fixing this doesn’t prevent me from grabbing a direct link to files stored in my boards?

Let me explain.

This is the link i get:

https://startinfinity.s3.us-east-2.amazonaws.com/item-files/18683/0C4CZM8B4FH3IyAppyMYxnxwogUqhQAzknXQEVkO.png

This is the image at that address:

I right click on a file and grab the direct link to it, I then use this link to share / embed the file directly on another page. For me it is like having publicly viewable file hosting.

Airtable has this feature of grabbing a direct link to the file stored in their database.

This is the link i get:

https://dl.airtable.com/.attachmentThumbnails/21f89f20f8054edae18173b92a24d98e/f7bb2841

This is the image at that address:

Notice how different the links are! Hope we can have direct links that are secure and private until we want to share them!

Thanks

1 Like

#10

I really appreciate all this content guys.

I’ll need to be 100% honest and say that this isn’t my strong point, so I don’t completely understand the issue, although I acknowledged the fact that it can cause huge issues in data leak.

I’ll do my best to make this a priority and notify the whole team.

Thank you so much.

1 Like

#11

Update: Just made an urgent ticket to discuss tomorrow during the daily meeting.

4 Likes

Unprotected Attachments - Security Issue
#12

Hi @CodeKnight @micck @InfiGhost

We now lost our champion coa and I could not find anything regarding this on other discussions or the roadmap.

I have created a new entry on the public roadmap and I hope you’d care to vote it up too.
I just hope that I have not made it worse mentioning the security hole on the public roadmap.

0 Likes

#13

Hey @j11,
that´s a good idea especially since the name of this thread is misleading. I already voted for it.
At least the server link is not visible anymore. I also thinks this has to have highest priority.

I just checked with Trello and the files there are also accessible without login once you have the link. So they have the same problem - maybe it´s a feature :wink:

@stefan @Jovana Maybe the infinity team will tell us more about this issue here next week!?

0 Likes

#14

Hey guys!

After checking out @micck’s last reply, I actually spoke to our product manager and she told me that this should be working now without any security problems. However, after checking, I noticed this is not the case. So it turned out that there was an oversight on our dev team’s part and the task is back in their hands. Hopefully, it will be dealt with and fixed soon.

Thanks for the patience!

0 Likes

#15

Have up voted this as well. Unfortunately the Roadmap is suffering from first in items being seen by the most people, and new items near the bottom of the list being neglected.

1 Like

#16

@CodeKnight: Agree. And there are quite a lot duplicates. It would be great if the infinity team would clean that up, also add a date to the the “invalid date” items and make the “Most Recent” Tab the Start View.

0 Likes