Help

The Community will be temporarily unavailable starting on Friday February 28. We’ll be back as soon as we can! To learn more, check out our Announcements blog post.

Why does Download CSV upload my attachments to a publicly accessible URL by default?

Topic Labels: ImportingExporting
984 1
cancel
Showing results for 
Search instead for 
Did you mean: 
stonkykong
5 - Automation Enthusiast
5 - Automation Enthusiast

Hi,

I was experimenting with different ways to share a table with a client. I was quite alarmed when I tried “Download CSV”, and the attachments, many containing private/sensitive data, were uploaded to publicly accessible URLs by default without my consent.

Is no one else as concerned as I am about this default behaviour? To my mind, unless explicitly stated otherwise, export/download should be exclusively to the local device. Uploading to public URLs should be opt-in. As it functions now, Download CSV is actually “Download CSV and Upload Attachments to the Public Web.” This is a security issue, especially since the user is not given the option to turn it off or even warned about it.

Can someone please show me how to wipe/delete these attachments from the web?

Thanks,
SK

1 Reply 1
stonkykong
5 - Automation Enthusiast
5 - Automation Enthusiast

Just speculating, but could it be that the attachments were always at public URLs and Download CSV didn’t do anything but expose them? If so, that’s even scarier. I really hope not.

Yes, looks like that’s the case: Attachment URLs are public?

This is quite disappointing. I wish I had known this earlier.

What is the point of restricting access to tables or views if any random person can view attachments if they get a hold of the URL?