Unprotected Attachments - Security Issue

As already discussed here and an roadmap item created here:
Attachments are not protected, which means anyone with the attachment link can access them. They don’t have to be logged in to infinity and to have the permission to view.

I want to store contracts with confidential data, but I better not do this until this is solved.

Hi @micck, after checking out your reply in the ‘File name for attachments’ I actually spoke to our product manager and she told me that this should be working now without any security problems. However, after checking, I noticed this is not the case. So it turned out that there was an oversight on our dev team’s part and the task is back in their hands.

After getting this information I completely forgot updating you on that other topic although I was planning to. I will post this same answer in there as well asap.

Thanks for the reminder!

1 Like

Just got an update from the support team. The team is already working on the issue atm. :smiley:


What’s the status on this, has it been resolved?

It’s been improved very much, but there still is a little loophole. Check it out! Can you find it?
The team is still working on closing the last loophole, but the major improvement is already live.
Thus infinity attachment are more secure than Trello attachments by now already.

Hi @Derrick, as @micck cleverly noticed - we have already implemented some improvements when it comes to attachment security. However, we didn’t want to announce anything officially yet because there are still a few smaller things that need to get covered (I’m guessing this is probably related to the ‘loophole’ @micck was mentioning). :slight_smile:

Hoping to finalize it soon, but it’s already much more secure than it was. :slight_smile:

P.S. @micck If you wish, you can write to us with the loophole you found, perhaps it’s something else that we missed. So we want to make sure we cover all of it in the final fix.

I already did send you what I noticed after testing it out when I thought it was already done.

Indeed, thank you @micck. My bad, I found your message with the explanation. :slight_smile:

1 Like