No authentication on attachment links!

  • 1
  • Problem
  • Updated 5 years ago
Clicking on a link for any attachment to a task or task list links to the attachment hosted on Amazon Simple Storage Service (s3.amazonaws.com).
The links to storage created are completely unprotected and accessible by anyone.

Amazon S3 mentions that these links are temporary, how long do they remain valid?
Photo of Jared Byrd

Jared Byrd

  • 6 Posts
  • 0 Reply Likes
  • in abstract existential dread

Posted 5 years ago

  • 1
Photo of aHa!Coaching

aHa!Coaching, Champion

  • 1192 Posts
  • 117 Reply Likes
There might be some confusion here as Mindjet does not interpret hyperlinks, it just creates a link using the text you (or a colleague) enter in the hyperlink input box. Maybe you could check with Amazon S3 why these links are accessible to everyone and how long they remain active?
Photo of Jared Byrd

Jared Byrd

  • 6 Posts
  • 0 Reply Likes
I will present clarifying examples:
I have a task on my task list that only I can see.
Attached to this task list is an image.
The link from the task list to the attachment is:
https://action.mindjet.com/task/11451...
If someone who is not authorized tries to access that link, they are taken to mindjet's login page, which is good.
If someone who is authorized clicks on that link it opens the image in a new tab, that tab has the following URL:
http://s3.amazonaws.com/cohuman2/atta...
This link can be used by anyone to see this image.

It is of note, when I rechecked this link just now it did include the following parameters as well:
AWSAccessKeyId, Expires, & Signature
But as you can see from the link above, it works without these parameters as well.
Photo of Ben Work

Ben Work

  • 46 Posts
  • 9 Reply Likes
Hi Jared,

Thanks for pointing this out. Seems like our links have not been expiring properly, though they were still protected by an unguessable random hash. We have just released a fix for this that by tomorrow all Amazon s3 attachment URL's will be expiring after 5 minutes.

Thanks again for your help and please email me at ben.work@mindjet.com if you have any further questions.

Ben
Photo of Jared Byrd

Jared Byrd

  • 6 Posts
  • 0 Reply Likes
Thank you *very* much, this should handle the issue!