silos: malware, sharing, permissions, pgp, [form splash screen] and security

I am a busy guy. We probably all are.

  • If I share a dedicated workspace with just one table in it that is silo’d off from my real AT workspace, no one can see my other AT stuff, right? AT has PGP? I am asking here
  • If there is a link in that table to a dedicated google sheet, no creator in the AT table can see the rest of my google sheets [or account], right? Cause I had to give permission for the google account. Of course I don’t think so, but it was bothering me. I tried to check by approaching it with a private window as a public view.

Last question: is there anyway a creator in an AT base could install any malware into my Airtable? Like a bot that sends the data after the job is done

I like Airtable. I really need a tutor.
But I have an application to do now.

I would like to improve a Google Form by syncing it to a new Airtable CRM. The sync would either happen w integromat or, I could move the form to Airtable.

So I hire an Uphold programmer.

First problem with using Airtable to field a form: I don’t like having a splash screen advertisement for AT at the end of the form :embarrassed:

I have some “sensitive” stuff in AT
so I create a new free workspace to share w programmer.

In this workspace the table I started has a google sheets link.

Hello @Weasn

I’d love to assist you on your requirements.

You can reach me on Email [trish@cisinlabs.com] or Skype - live:.cid.baff7c7dd9471b54

Regards,
Trish

Hello @Weasn

PM sent, please check, so that we can have detailed discussion and can proceed it further.

Regards,
Norman

A collaborator who only has access to one Airtable workspace cannot get at data in another Airtable workspace.

Yes, a creator in an Airtable base can install malware. They can write scripts in Scripting app or create a Scripting automation that can do any number of bad things.

However, a collaborator does not need to be a creator to steal you data. Any collaborator, even read-only collaborators, can make a copy of your base.

Even after the programmer is no longer a collaborator for the base, there could be lingering public shares that provide access to the base.

In short: don’t give access to you base to anyone that you don’t trust.

You can remove the Airtable advertisement with a Pro subscription.

1 Like

very helpful!
so basically I can’t hire an unknown programmer to help build the collab table and have any expectation of security.

In other words, I could have an upwork guy build a new form in a dedicated workspace and then copy that collaborated form and associated CRM table over to my regular workspace.
eh, but then any bot in the collab CRM table would be copied to the secure table in the main secure workspace, hmm.
How to get around this?

no way to reveal all automations in the collab table?
How to see if there are any malicious scripts installed in the collab table before copying to the secure table?

upwork will not be applicable here then,
main attribute of the programmer has to be a trusted third party
no way to verify, or then you would be the expert?

Once you give someone access to your base, you cannot expect Airtable to prevent that person from using that access to do bad things. Now, most Airtable consultants are not going to do bad things, and there are many reputable Airtable consultants. But it is up to you to decide who to trust–not only who will not inject malware into your base or steal you data, but also who will do a good job for what you actually want done.

If you have someone from UpWork work in a dedicated workspace, your other workspaces are safe. If you copy something from a base in that dedicated workspace to a different base/workspace, the security risk depends on what you copy. If you copy a table, you aren’t copying any code that can do malicious things. A form by itself contains no code, so copying a form can’t introduce the type of security risks you are worrying about.

Custom code that can access the outside world only exists in

  • scripting app Look in your dashboards for these. Note that the scripting app installation might have a custom name, but it will still look like scripting app…

  • scripting automation actions Look in the automations area for these. There is a maximum of 25 automations, and each automation can have up to 25 actions.

  • custom apps Look in your dashboards for these. These are rare.

This topic was solved and automatically closed 15 days after the last reply. New replies are no longer allowed.