This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Help

Why does Download CSV upload my attachments to a publicly accessible URL by default?

Topic Labels: ImportingExporting
621 1
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
stonkykong
5 - Automation Enthusiast
5 - Automation Enthusiast
See Solution in Thread

‎Sep 30, 2021 01:42 AM

Hi,

I was experimenting with different ways to share a table with a client. I was quite alarmed when I tried “Download CSV”, and the attachments, many containing private/sensitive data, were uploaded to publicly accessible URLs by default without my consent.

Is no one else as concerned as I am about this default behaviour? To my mind, unless explicitly stated otherwise, export/download should be exclusively to the local device. Uploading to public URLs should be opt-in. As it functions now, Download CSV is actually “Download CSV and Upload Attachments to the Public Web.” This is a security issue, especially since the user is not given the option to turn it off or even warned about it.

Can someone please show me how to wipe/delete these attachments from the web?

Thanks,
SK

0 Kudos
Reply
1 Reply 1
stonkykong
5 - Automation Enthusiast
5 - Automation Enthusiast
See Solution in Thread

‎Sep 30, 2021 01:56 AM

Just speculating, but could it be that the attachments were always at public URLs and Download CSV didn’t do anything but expose them? If so, that’s even scarier. I really hope not.

Yes, looks like that’s the case: Attachment URLs are public?

This is quite disappointing. I wish I had known this earlier.

What is the point of restricting access to tables or views if any random person can view attachments if they get a hold of the URL?

0 Kudos
Reply
Copyright © 2024 Khoros, LLC