File name for attachments

This has been put into “Urgent” column, guys. Thanks for all the effort.

We’re definitely fixing this in the upcoming days.

2 Likes

Great pickup! Glad this is getting sorted!

1 Like

@micck - thank you for finding this huge security issue.
@coa For me this finding is an absolute nightmare, because it means everyone can access sensitive data from every Infinity user. Why and how? Let me explain:

The link shows a few important facts for an attacker:
1.) the AWS datacenter used by Infinity
2.) (as it looks to me) a unique user or workspace number (micck called this the digit-code)
3.) Also the letter code seems to have a fixed length or at least a length range

So what could happen here is: an attacker could spawn a few hundred AWS Lambda instances in the same AWS datacenter and brute force every combination for files to get all files from every Infinity user. Because the attacker would be located in the same datacenter this attack would run at an incredible speed. AWS doesn’t charge for traffic which occurs in the same datacenter so this attack is very cheap. And the Infinity team wouldn’t have any chance to detect or stop this (because these requests and the traffic are completely handled by Amazon beside any checks from the infinity servers).

How to fix this? (I hope I can give some advice - I just want to help)
1.) The infinity team has to code some kind of proxy file for their server. Every file link has to point to this proxy file instead directly to AWS S3 -> https://startinfinity.com/proxy?workspace=digit-code&file=letter-code.file-ending
2.) All S3 storage on AWS must be set to private - no external access allowed
3.) Only the proxy code should know the credentials to access the S3 storage
4.) When some requests a file from the proxy it has to check if the user is logged in and has the needed right to access these files (no possibility to access other users files) and then it could deliver/stream the requested file back to the user.

This change should be possible in less then a week. I think the Infinity team must inform every user that there was a chance someone already has accessed all files.

I really need a statement from the Infinity regarding this issue. I hope fixing this issue is the highest priority at the moment.

1 Like

I hope fixing this doesn’t prevent me from grabbing a direct link to files stored in my boards?

Let me explain.

This is the link i get:

https://startinfinity.s3.us-east-2.amazonaws.com/item-files/18683/0C4CZM8B4FH3IyAppyMYxnxwogUqhQAzknXQEVkO.png

This is the image at that address:

I right click on a file and grab the direct link to it, I then use this link to share / embed the file directly on another page. For me it is like having publicly viewable file hosting.

Airtable has this feature of grabbing a direct link to the file stored in their database.

This is the link i get:

https://dl.airtable.com/.attachmentThumbnails/21f89f20f8054edae18173b92a24d98e/f7bb2841

This is the image at that address:

Notice how different the links are! Hope we can have direct links that are secure and private until we want to share them!

Thanks

1 Like

I really appreciate all this content guys.

I’ll need to be 100% honest and say that this isn’t my strong point, so I don’t completely understand the issue, although I acknowledged the fact that it can cause huge issues in data leak.

I’ll do my best to make this a priority and notify the whole team.

Thank you so much.

1 Like

Update: Just made an urgent ticket to discuss tomorrow during the daily meeting.

4 Likes

Hi @CodeKnight @micck @InfiGhost

We now lost our champion coa and I could not find anything regarding this on other discussions or the roadmap.

I have created a new entry on the public roadmap and I hope you’d care to vote it up too.
I just hope that I have not made it worse mentioning the security hole on the public roadmap.

Hey @j11,
that´s a good idea especially since the name of this thread is misleading. I already voted for it.
At least the server link is not visible anymore. I also thinks this has to have highest priority.

I just checked with Trello and the files there are also accessible without login once you have the link. So they have the same problem - maybe it´s a feature :wink:

@stefan @Jovana Maybe the infinity team will tell us more about this issue here next week!?

Hey guys!

After checking out @micck’s last reply, I actually spoke to our product manager and she told me that this should be working now without any security problems. However, after checking, I noticed this is not the case. So it turned out that there was an oversight on our dev team’s part and the task is back in their hands. Hopefully, it will be dealt with and fixed soon.

Thanks for the patience!

Have up voted this as well. Unfortunately the Roadmap is suffering from first in items being seen by the most people, and new items near the bottom of the list being neglected.

1 Like

@CodeKnight: Agree. And there are quite a lot duplicates. It would be great if the infinity team would clean that up, also add a date to the the “invalid date” items and make the “Most Recent” Tab the Start View.

Any updates on this?

FYI, the attachment links remain working even after the items are deleted in “Trash”.
I can’t control the access to the files ever uploaded to Infinity.
This is really concerning.

@j11 I also contacted chat support for this issue last week. They wanted to get back to me after checking with the team, but I think they might sidetracked by the big updates they rolled out this week. I let you know as soon as I get a reply.

Boka from the chat support just told me:

I just had a word with the product manager regarding this topic, and I urged the dev team to take up the task again as soon as possible! And once again I want to thank you for your patience!

I have scheduled a task for me in two weeks to follow up on this.

Hi @j11 and @micck, sorry about the wait on this. Apparently, our CTO had to work on this personally which by itself means it’s going to take a bit more time as he has a lot on his plate.

Once he deployed the ‘fix’ a few weeks ago we realized that it wasn’t actually working as it should and it was put back on his to-do list. But by that time, he already had dozens of other things that needed his attention.

Anyway, the support team and I have urged the dev team to focus on this once again and raise its priority, and hopefully fix this once and for all. :pray: The information I have is that this should be worked on next week.

Thanks for your patience and I honestly hope I’ll be able to update you next week with some good news.

1 Like

Nearly 3 month later any update on this issue @Jovana ?

Hello @InfiGhost! I believe I also replied to you on Facebook regarding this.

Sorry about no updates, there are a few topics regarding this so I forgot to update this one, but a discussion is going on here.

As I mentioned on this other topic and on Facebook, we have made significant progress with this and the attachments are already much more secure than before. But we still have a few things to cover for the fix to be complete.

Thanks for the patience! :slight_smile:

@Jovana Thumbnails for images still loading directly from public S3 buckets on AWS (startinfinity.s3.us-east-2.amazonaws.com). So everybody can see what kind of images I store inside any of my boards. Full size png and pdf are still accessible in private window without any problem for an attacker (https://app.startinfinity.com/attachments/get?path=item-files/xxxxx/yyyyy.png). Sorry, but for me there is no improvement at all!? Do I miss something?

Hi @InfiGhost!

Not sure how we could limit the thumbnails and previews since those are intended to be visible by your whole team - and for the people you share the board with.

When clicking on a link to an image, you can no longer see it - you should get an error if you follow a certain link to an image stored in Infinity. So basically the biggest improvement that people outside Infinity can no longer open files to Infinity just because they have a link.

But I will need to check with the devs the exact list of improvements. And as @micck suggested, we do have some loopholes to cover still.

Hi @Jovana,

Not sure how we could limit the thumbnails and previews since those are intended to be visible by your whole team - and for the people you share the board with.

Currently the thumbnails are visible to the whole world! There is no protection because the AWS S3 bucket used by Infinity is completely visible to anyone. So anyone can run a script and let it guess filenames and download all thumbnails and previews. This is not what we want, right?

When clicking on a link to an image, you can no longer see it - you should get an error if you follow a certain link to an image stored in Infinity.

I can access pdfs and pngs in my private Infinity board without any protection or without the need to login from a private browser window and also from another browser. I have sent you two links via FB messenger so you can verify it yourself - I don’t want to post them here.

So basically the biggest improvement that people outside Infinity can no longer open files to Infinity just because they have a link.

They still can - at least in my case.