MAJOR SECURITY HOLE IN AIRTABLE: Any collaborator (even read-only collaborators) can steal 100% of your data with one click

My understanding is that there are multiple fairly easy ways of obtaining the underlying CDN attachment URLs

  • Export the table to a CSV file
  • Copy/paste the table or cell value to another app, such as Excel
  • Use the attachment field in a formula field
  • Access the cell value from any of the APIs (okay, this one isn’t quite a easy)

BTW, your wife is beautiful.

Hahaha! Bill, that’s a solid 7.5 difference!! How did you accomplish this amazing feat!?!? :stuck_out_tongue_winking_eye: I have several friends who would love to learn this trick from you! :wink:

My answer to your overarching question is this, and I apologize if I haven’t made this clear earlier:

  • All collaborators, even read-only collaborators, can instantly download an entire table as a CSV file. But — drum roll, please — all of those dl.airtable.com links are a part of the CSV file. Those are the underlying URL’s that have no protection. So, with one click of the mouse button, any collaborator (even a read-only collaborator) has access to ALL the underlying unprotected URL’s in the entire table.

And THIS is the crux of the problem. It’s actually tied into the other security issues, which is that read-only collaborators can instantly download an entire table (or duplicate an entire base) with one click.

In essence, Stacker solves the majority of these security issues, because collaborators can only grab ONE underlying URL at a time.

None of this is probably that big of a deal for MOST people. I just don’t like losing business due to security issues like this. :stuck_out_tongue: And I know that Airtable probably doesn’t like losing business, either. But when I get calls from law firms that ask me “How safe our are attachments in Airtable?”, I have to go down this whole rabbit hole with them and explain these potential issues.

p.s. Regarding Google, good point about how the link actually IS public when choosing that one option that they provide to people. Many people don’t realize that when they choose that option.

Indeed. I handle this a bit differently. I simply say -

It is not unlike the exposure most businesses currently endure with G-Suite.

Two quick side-bar comments…

  1. If security is critical, attachments are not where you want to place sensitive documents.
  2. Any business attempting to blend sensitive documents into their data should consider hosting them by reference (URL), not value (copies of the sensitive documents).

As to #2 - a secure document in Google Drive will require authentication even when published in a fully open database in Airtable. Making copies of any sensitive information should always be guided by business policy which for most firms, it is frowned upon.

As to #1, Airtable made attachments very flexible because document management is a difficult science; they built what we (generally) asked them to build.

We cannot blame Airtable for these constraints or unintended uses of the product. At some point, users must take responsibility because Airtable has provided a reasoned and relatively secure collection of protective measures to make safe applications.

Correct. They don’t, just as Airtable users generally don’t understand the underlying loosely-configured mechanics. And given this, when was the last time Google was hauled into CNBC to explain why sensitive Drive documents were breached? 2006 to date and not a single instance. Same for Airtable - 2015 to date; not a single instance.

Thank you. Like I said - I cannot explain it. 38+yrs of marriage and so far she’s exhibited no interest in fleeing. From time-to-time she has mentioned that sentiment could change.

1 Like

I can confirm that Stacker is indeed absolutely incredible and user permissions is one of the main reasons I use it.

You noted the cost, but for many enterprise applications it’s cheaper since it doesn’t charge per user.

So my setup is a small team of database administrators using Airtable, while the rest of my clients use Stacker.

1 Like

One of the solutions I could think of is when AirTable database is shared with a collaborator, the collaborator works on the same data, however, the links would be completely different for the same document.

In other words, if the owner would look at the document link, the link would be different than the link to the same document that the collaborator would see. Yet, both links would point to the same document.

When the owner decides to stop sharing the database, the collaborator’s version of the links will be dead going to nowhere.

Added benefit would be traceability to see if somebody is downloading the attachments from the collaborator’s database in a batch.

Secondly, an adjustment AirTable could do is to fine-tune what an editor and collaborator is allowed or not allowed to do (see the links or not see them, allow 3rd party apps like Zapier to see the links in the collaborator’s version of the database or not allow to see them).

Maybe this could save the sheep and feed the wolf.

The only way to achieve 100% security model the way listed in the OP’s AirTable Security Manifesto would be to require login (or be logged in) every time anybody tries to access a document in AirTable.

Not only would this mean some inconvenience (and break functionality like described earlier) but even AirTable wouldn’t work as expected. Take for example the Gallery view. One of the useful ways that Gallery appears to being promoted by some perhaps to offer an a view of the data to the external world (e.g. customers for instance).

In my case, I turned the Gallery view to my private Classified site / eStore. I am even intending to add payment links to it through Zapier or similar. My idea is to turn AirTable to a poor man’s version of Pinterest / OfferUp.

If somebody wants to make copies of all the attachments, they could do that with a web-crawler.

So to summarize my view:

For AirTable to satisfy both the sheep and the wolf, they would need to fine-tune whether collaborators and viewers are able or note able to make a copy of the database, export database, access through Zapier, see links. Secondly, if people I trust have access to the links, the links should be unique to the person I shared with (regardless whether the links can be accessed by logging in or without logging in to AirTable).

Lastly, for all those other situations where people potentially have copy to the data in AirTable… well there are NDA agreements. In particular, if AirTable generated version of links that is unique to the individual I share with, that information would point to the particular individual who had misused that (download log in AirTable or something similar).

1 Like

This is such a fantastic idea! And such an easy solution, too! :slight_smile:

I hope that Airtable is listening to your suggestions.

This concept has been around for a long time and is ostensibly a “signed URL” - a URL that is distinct and immutable for a given user and often for a specific time period. Links like this should also have a shelf-life that can easily be controlled with an expiration date or access duration. I recommended this to the team about a year ago.

And not far from going a full blown blockchain ethereum supported solution too :wink: And imagine you could now integrate micropayments too to get paid. Yay.

@ScottWorld, @Bill.French, @kuovonne,

I hope you three know how much I love and learn from reading your discussions. Thank you for keeping it civil yet heated :smiley: The collective knowledge and sincerity displayed on this forum is one of the best things about Airtable!

3 Likes