Don't make attachments available externally via URL unless specifically set
Kristen Connolly
We just learned that all of our attachments in ClickUp are available to the entire world if someone has the right URL. That's ridiculous and extremely dangerous! As another user pointed out, this is "security by obscurity" and I can't imagine it's actually GDPR compliant, even with "private attachments" turned on (since that still makes the attachments externally-available for an hour).
Please make this "feature" of externally-facing links a choice (e.g. an attachment should be totally private and protected, just like other ClickUp data, unless specifically set to share externally).
We actually may need to move away from ClickUp because of this. It's not something we can control -- if someone emails to a task (a critical feature for us), then any attachments in the email will become publicly-available files via this "external link attachments" feature.
From the ClickUp docs: "This is really cool because all files stored in ClickUp can be shared externally by copying the link to the file. By default, the link never expires and contacts can download the files from the link directly!"
This is NOT really cool! I mean, it could be cool in some scenarios, but it's pretty horrible, for the most part.
Log In
Louise Ewing
Hi Canny Community!
Popping in with a quick update on this thread :)
We are currently working on an option to have all attachments and Clips URLs behind Workspace authorization. This means that once we ship this functionality URL’s will only be accessible by users logged into your ClickUp Workspace. This enhancement to how we manage attachments will be available on all ClickUp plans and will apply to both newly created and existing attachments.
We recommend following this canny post where our Product team is regularly posting updates.
Louise Ewing
Hi Canny Community!
Popping in with a quick update on this thread :)
We are currently working on an option to have all attachments and Clips URLs behind Workspace authorization. This means that once we ship this functionality URL’s will only be accessible by users logged into your ClickUp Workspace. This enhancement to how we manage attachments will be available on all ClickUp plans and will apply to both newly created and existing attachments.
We recommend following this canny post where our Product team is regularly posting updates.
Harry Kashouli
As someone that works in video games, I am telling you right now that there isn't a single InfoSec team that would approve this as-is, once discovered. We've killed off simpler project management tools for way less, in our pipelines.
Grainne Arif
Please sort this issue ClickUp as a priority, it's a massive security issue that I can't believe hasn't been addressed already
Natalie Williams
Added a comment to this thread with a whole list of related posts about this issue.
Max Pagel
This is indeed a bit mental and an actual WTF situation from a security standpoint. Especially looking at the history of this issue, i.e. it's been flagged and ignored for years
C
Claire Albrecht
Woah okay yes this is a HUGE problem
Tim Jasper
I've just contacted Clickup support. They are basically saying tough luck, we can't remove any existing uploads. I think I'm in the twilight zone...
Tim Jasper
OMG I have just discovered this. I was frustrated enough with clickup with their permissions issues on their own docs/pages/tasks/subtasks etc. However I am completely flabbergasted to discover this. How is this not widely known. I'm sure no company would use clickup if they realised this. Its completely unacceptable. I will now have to contact clickup support to remove these documents as deleting them from my tasks doesn't delete the open link to the documents. Mind blowing security issue clickup.
Thiago Dominoni
This is unbelieveble! How can they release something like these????
Daniel Meredith
This is a huge problem for us too, and is probably breaking a whole ton of compliance regulations.
Imagine all of the things that a team would upload to ClickUp, over the years, and all of that is available via a simple crawler that scans possible address combinations -- that's an insane flaw to have, at any software level.
I don't image the other major players, in this space, have the same issues.
Load More
→