Add private attachments to plans outside of Enterprise
complete
Joseph Arrieta
Hi guys, so yes, basically what the title says, let me give an example so we can understand how important and critical this issue is and I think most users using ClickUp are not aware of this problem.
This is a URL to an attachment inside of a space/folder/task that are only visible to my ClickUp User: https://t3090057.p.clickup-attachments.com/t3090057/c751201c-9a80-47ff-88b5-640b74b10f88/linux.jpeg?view=open
If you open this URL, you will be able to see the content of that attachment (Tux Penguin)
What this mean is, all the attachments that you are putting into ClickUp are discoverable through the internet (yes, your contracts, your files with personal information, your PDFs with sensible information and so on).
I was told that the business plan has private attachments. Sorry ClickUp Team, but no, this is a security hole and I expect all these files to be private by default even in the free version. So no, it's not about the plan, this needs to be fixed.
I contacted support and this issue doesn't seem to be that important given their roadmap. If you ask me I think this is a stop the world issue that must be addressed right way, but hey, I'm just a user, what can I know.
I hope we can get a fix of this ASAP.
Log In
Brendan W
Hey, everyone!
Just wanted to address this post and let you know that we hear you, and understand you! Security is a big concern for us too which is why we've gone ahead and put a plan in place to restrict public attachments from being indexed on major search engines like Google.
We understand it doesn't fully solve the problem, but we will continue to move forward and work on a full solution soon.
We recently hired our VP of Security who will oversee and concerns or issues and begin implementing new procedures and practices within ClickUp internally, including auditing newly released or old features for security flaws. Please keep sharing areas we can improve regarding security and our team will review as soon as possible!
Lastly, the name of the post was updated to better reflect your ask after our fix to stop the indexing of attachment URLs is implemented!
Posted on 6/29/2021
T
Terry Tribebot
A few points:
- That "Private Attachments" option should be turned ON by default, not OFF across 100% of ClickUp tenants
- ClickUp needs to create a way to retro-actively mark Attachment URLs as not publicly accessible that have been uploaded BEFORE a tenant turns ON the "Private Attachments" option.
- The 1 hour window needs to eliminated completely for Private Tasks. If we have the option to make attachments private turned ON, then it should be ON from the exact millisecond that the attachment is uploaded, not an hour later.
As everyone has said, attachments should never, ever, ever be available on a publicly accessible URL inside ClickUp unless the user has specifically intentionally requested to create a publicly accessible link for a particular attachment.
Please fix this urgently and properly ClickUp, the existing band-aid solution is not enough.
From a development perspective, it's quite easy to implement this, so "technical limitations" can't be the reason for this not being done.
M
Michael Kuntz
I have lots of sensitive documents stored in clickup. I just confirmed they can be viewed without logging in. However, I can't find them in a google search. Should I be worried?
Robert K
Michael Kuntz Same here.
I think the good part is that the link contains some unique combination at the beginning as well as the name of the file at the end...therefore not that easy to find out even by mistake (for example with links generated from tools like LightShot, if you change a few characters you can see other printscreens)
Brendan W Luci N. - is there a possibility for someone to scrape Clickup for all these public attachments??
Tim Jasper
What the Absolute F#$D!! . I've just discovered this and was about to report it as an urgent security bug. This is still an issue and Clickup haven't fixed it in three years!!! WTAF. This is completely mental. I am so over this.
Nick Day
If anyone on the internet can access a link without needing authentication, than the link is not private. This issue is still not fixed. User level authentication is needed for Attachments, Clips, Forms, and maybe other items I'm not yet aware of.
J
Jim Bartek
any screenshots pated into Docs are have public URLs, and when you export as HTML it does not zip and export the files, it just keeps the reference to the public images, no login required at all.
the same thing for Clips videos. all are always available at a public link.
I am not sure how any of this is considered SOC 2, GDPR and HIPAA compliant.
Any company that does client work signs NDAs and confidentiality agreements. How does everything not require login by default?
M
Matthew Winther
Luci N. this is still not truly fixed. You created a temporary transitional fix. No attachment should ever be public unless I choose otherwise. I’ve had to instruct my org to not save ANY attachments to tasks to comply with our security policies. This is how you want your product to be used? Where we have to create corporate policies to prevent our users from using functions of your product? No facet of my workspace should be public facing unless I manually choose to make it so, how could you possibly think it’s advantageous to do otherwise?
Luci N.
Hey Matthew, thanks the tag and for your feedback on this feature request. I will reach out to the product team about this and follow up here once I have an update!
Nick Day
Matthew Winther I totally agree, and share your frustration. We're telling users not to use Attachments, Clips, and Forms because they are all completely public. Unfortunately, I can't actually turn these unsecure features off, and I can't audit my Workspace to see if users have disobeyed policy and used them anyway. The more we've invested in ClickUp, the more I've wanted to pull the plug.
Tim Jasper
Luci N. How is this not fixed? This is insane
Kristen Connolly
Luci N.: Thanks for your reply. I think it's strange that ClickUp equates "private" with "temporarily public-facing". If i add an attachment, it becomes private after an hour, but opening the attachment still shows a "copy URL" icon, and clicking that "copy URL" icon creates a new URL that's external-facing, rather than copying the previous (now private) URL. This is really poorly-executed, and calling it "private attachments" is very misleading, since a single click makes it public again.
Kristen Connolly
Why did ClickUp mark this request as COMPLETE when it hasn't been implemented? Brendan W Eric Wightman
Kristen Connolly
Jed Frechette: yeah, we just discovered it and I'm extremely put out, as we've just spent a ton of our very limited non-profit & public-health resources moving onto ClickUp, and may now need to scrap it because of this single unfathomable security hole. I have been loving the platform overall, but this gap is a dealbreaker.
Kristen Connolly
It's a major issue that all attachments are public-facing, so folks who are interested in the privacy of ClickUp attachments can upvote https://clickup.canny.io/feature-requests/p/dont-make-attachments-available-externally-via-url-unless-specifically-set
Load More
→