Re: Why isn't email verification required?

jills · ‎Jan 11, 2024

Is there a reason why you don't need to verify your email address to access Airtable? I was shocked to discover this isn't a requirement.

I have an interface set up so that only the current user can view sets of information, but I found that it's possible for someone to create an Airtable account with someone else's email and view the information associated with that email address. Email verification is not required to access the interface and see data that should only be seen by the actual user.

Are there plans to address this? Is anyone using a workaround to make this more secure? Is it related to being on the Team plan?

ScottWorld · ‎Jan 11, 2024

Yeah, that seems like a pretty big security hole. I would report that to support@airtable.com.

jills · ‎Jan 12, 2024

Thanks! I'll do that. I'm getting pushback from my company about using Airtable because of this security issue. I was also surprised at the lack of posts about it.

jills · ‎Jan 12, 2024

UPDATE: Customer Support did respond, and I did some new testing. As far as I can tell now, any shared bases or interfaces cannot be accessed until after email verification. So while email verification is not required to start using Airtable, shared data cannot be accessed until after the email address is verified.

ScottWorld · ‎Jan 12, 2024

Ah, that's great to know!