Attachment URLs are public?

I just discovered that the URLs used for attachments appears to be public and accessible/downloadable without a login to airtable, even for tables that are not shared

For example, the following URL is to an attachment in an non-shared table, but is viable wherever I put the URL in, and presumably you can open it too:

https://dl.airtable.com/.attachments/81cfc19904f7d8aea2f5e62e0584f1a7/459869a8/TESTDOCUMENT.txt

This public URL was pulled from the “Download CVS” cvs export file.

Furthermore, when I delete an attachment and clear the trash, the link is still live. So here are my urgent questions:

  1. How do I make my attachments secure?
  2. How do I delete attachments so that the download link is no longer live?

It is notable that the record URL does require an airtable login, but the attachment URL does not. What am I missing here? There is also a different URL for the attachment via the cvs export vs the url used when a file is opened/viewed directly from the table itself. The table URL does require a login.

EDIT/ UPDATE: Airtable support confirmed my observations, and let me know this is by design, and they believe using obscure urls is security enough for user’s attachments. I disagree, and will find a more secure service.

I wonder how many users realize literally every attachment they have ever put into airtable has a public url. I’ve read use cases where people are storing tax returns, employee paperwork (W4/W2/W9 with SSN), scans of ID, and other sensitive documents in airtable. Hopefully they get this sorted out, but it sounds like they don’t think it’s a problem.

1 Like

Wow, I didn’t realize this, but this seems like another security hole in Airtable. This security hole allows your attachments to be visible to completely unauthorized users.

What makes this security hole most concerning to me is that even after you delete the attachments from your system, the attachments are STILL VIEWABLE to anyone who has the URL, including the general public.

I think it’s fair to say that Airtable is a relatively low-security platform. There are a few basic levels of security built into the platform, but in my opinion, it is a platform that should really only be used with people whom you implicitly trust — or with data that isn’t very sensitive.

Here are 6 of the security holes in Airtable, and there are likely more:

  1. Any collaborator on a base (including read-only collaborators) can copy all the data in the entire system with just one click by duplicating the entire base for their own personal usage.

  2. Any collaborator on a base (including read-only collaborators) can copy all the data in the entire system with just one click by exporting a CSV file of an entire table.

  3. Any collaborator on a base (including read-only collaborators) can copy all the data in the entire system by selecting all of the records in an entire table and pressing command-C to copy all of the table’s data with one click. And then, they can instantly paste all of that data into an external text editor.

  4. All blocks that depend on an API key to access an external service (such as the Google Maps block, the SendGrid email block, the Formstack Documents Block, the TypeForm block, etc.) expose your API key to anybody who uses your system, even a read-only user. With access to your API key, every user has unlimited access to your account with that external service. This can cause all sorts of seriously destructive problems, such as: people sending unauthorized emails that seem to be coming from YOU; theft of all of your data from these 3rd-party services; outrageously expensive fees (potentially in the thousands of dollars) when these other services charge “you“ for using their services; complete loss of all your data that is stored at these external services.

  5. When sharing a block using the new block sharing feature (which is currently in beta), users have access to all data in all tables.

  6. Uploaded attachments, even after being deleted from Airtable, are always visible to anyone by their URL. This could include the general public or any other unauthorized users of your system. And the worst part about this is that even if you completely delete the attachments from your system, they are still accessible to the general public.

I’ve been keeping track of these security holes in the thread below… and I just added #4 through #6 into the thread:

Personally, I would love to see Airtable invest more resources into security. I would love to see them appoint someone on the Airtable staff as the security expert whose job it is to focus primarily on security. It would be great to see Airtable make security an even higher priority in 2020.

However, based on the very few people who have complained about Airtable’s lack of security, it seems like they’re targeting a market that either (a) doesn’t really care much about security or (b) doesn’t realize that they’re not getting much security.

Luckily, Stacker fixes problems #1 through #3 above, but it doesn’t fix problems #4 through #6.

(By the way, the other database language that I specialize in is FileMaker Pro, and their security is legendary. All data is encrypted at rest and in transit; security is defined on a per-user basis; no users ever have access to unauthorized data nor API keys; no users ever have access to unauthorized attachments; attachments are always fully encrypted (at rest and in transit); no users can easily export/copy data; and the general public never has access to any data unless you decide to give them access to specifically-defined pieces of your data.)

1 Like

I really think this security problem is very serious and must be fixed ASAP. There are many threads in Airtable about this issue…

With this security flaws you cannot recommend using Airtable for companies at all!

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.