Help

Why does Download CSV upload my attachments to a publicly accessible URL by default?

Topic Labels: ImportingExporting
911 1
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
stonkykong
5 - Automation Enthusiast
5 - Automation Enthusiast
See Solution in Thread

‎Sep 30, 2021 01:42 AM

Hi,

I was experimenting with different ways to share a table with a client. I was quite alarmed when I tried “Download CSV”, and the attachments, many containing private/sensitive data, were uploaded to publicly accessible URLs by default without my consent.

Is no one else as concerned as I am about this default behaviour? To my mind, unless explicitly stated otherwise, export/download should be exclusively to the local device. Uploading to public URLs should be opt-in. As it functions now, Download CSV is actually “Download CSV and Upload Attachments to the Public Web.” This is a security issue, especially since the user is not given the option to turn it off or even warned about it.

Can someone please show me how to wipe/delete these attachments from the web?

Thanks,
SK

0 Kudos
Reply
1 Reply 1
stonkykong
5 - Automation Enthusiast
5 - Automation Enthusiast
See Solution in Thread

‎Sep 30, 2021 01:56 AM

Just speculating, but could it be that the attachments were always at public URLs and Download CSV didn’t do anything but expose them? If so, that’s even scarier. I really hope not.

Yes, looks like that’s the case: Attachment URLs are public?

This is quite disappointing. I wish I had known this earlier.

What is the point of restricting access to tables or views if any random person can view attachments if they get a hold of the URL?

0 Kudos
Reply
Copyright © 2024 Khoros, LLC