Why does Download CSV upload my attachments to a publicly accessible URL by default?

Topic Labels: ImportingExporting
681 1
Showing results for 
Search instead for 
Did you mean: 
5 - Automation Enthusiast
5 - Automation Enthusiast


I was experimenting with different ways to share a table with a client. I was quite alarmed when I tried “Download CSV”, and the attachments, many containing private/sensitive data, were uploaded to publicly accessible URLs by default without my consent.

Is no one else as concerned as I am about this default behaviour? To my mind, unless explicitly stated otherwise, export/download should be exclusively to the local device. Uploading to public URLs should be opt-in. As it functions now, Download CSV is actually “Download CSV and Upload Attachments to the Public Web.” This is a security issue, especially since the user is not given the option to turn it off or even warned about it.

Can someone please show me how to wipe/delete these attachments from the web?


1 Reply 1
5 - Automation Enthusiast
5 - Automation Enthusiast

Just speculating, but could it be that the attachments were always at public URLs and Download CSV didn’t do anything but expose them? If so, that’s even scarier. I really hope not.

Yes, looks like that’s the case: Attachment URLs are public?

This is quite disappointing. I wish I had known this earlier.

What is the point of restricting access to tables or views if any random person can view attachments if they get a hold of the URL?