Security: Attachments are Completely Public. Need Private Attachments
closed
Nick Day
All Attachments have a link that anyone can access, even without a ClickUp account. Site scraping bots can find all publicly accessible links. This is a huge security concern.
While the addresses are long and perhaps unlikely for someone to find by scraping, security by obscurity is not security at all. The Attachment address begins with my Workspace ID, so adversaries can even target my company's workspace specifically.
Attachments created at my company could very easily include confidential information. As an admin, I have no way of knowing what Attachments have been created, by whom, and who has access to them. Access to Attachments needs to be based on account authorization.
Note that Clips and Forms have the exact same issue.
This same issue was reported in 2021. It was marked as resolved when they implemented the "Private Attachments" features under Security & Permissions > Advanced Permissions. That is not Private at all. It's just temporarily public. Security by obscurity.
If you can stop people from seeing all my Tasks by requiring them to be logged in and have permissions, why can't that same basic security be applied to Attachments, Clips, and Forms in the same way?
Log In
Louise Ewing
Hi Naomi Peters
We are currently working on an option to have all attachments and Clips URLs behind Workspace authorization. This means that once we ship this functionality URL’s will only be accessible by users logged into your ClickUp Workspace. This enhancement to how we manage attachments will be available on all ClickUp plans and will apply to both newly created and existing attachments. We recommend following the below canny post where our Product team is regularly posting updates.
Louise Ewing
closed
Grainne Arif
This is so bad, I've only just become aware of this. Please fix this ASAP ClickUp. This should be as standard for everyone
Louise Ewing
Grainne Arif: As mentioned in the pinned comment above we are working on enhancements in this area! Please refer to the below canny post for the latest details
Naomi Peters
Questions marked directly on a screenshot of the advanced permissions settings.
Naomi Peters
Shaquille Payne Eric Wightman Brent Sydney Brendan W Ivan Villa Jenny Lucas
Tagging in all the CU team members who have updated or responded on the threads that Natalie Williams found. (Except for the single-named Michael on the thread "require login in order to fill forms" - there are too many single-named Michaels in the Canny users, & he doesn't come up in the list for me.)
Not sure whose team is taking lead on this issue, but it's quite serious. I am in the process of making a decision if this is a dealbreaker and means I need to move my company away from ClickUp to another platform. We really need a response on the open questions, and quickly please.
Louise Ewing
Hi Naomi Peters
We are currently working on an option to have all attachments and Clips URLs behind Workspace authorization. This means that once we ship this functionality URL’s will only be accessible by users logged into your ClickUp Workspace. This enhancement to how we manage attachments will be available on all ClickUp plans and will apply to both newly created and existing attachments. We recommend following the below canny post where our Product team is regularly posting updates.
Naomi Peters
Excellent news. I hope the deployment is speedy.
Natalie Williams
Additional threads regarding the lack of security for attachments/clips/forms:
https://clickup.canny.io/feature-requests/p/share-tasks-documents-securely (a more specific scenario, but related)
I pulled those related threads in ~5 minutes. Come on clickup this focus on adding new features while there are serious issues with security and privacy (not to mention random downgrades to existing features and a failure to address confirmed bugs for months) is atrocious.
Natalie Williams
Here's another one that was closed due to inactivity https://clickup.canny.io/feature-requests/p/prevent-files-to-open-without-session
Natalie Williams
Natalie Williams
https://clickup.canny.io/feature-requests/p/require-login-in-order-to-fill-forms (Michael has commented on this one requesting feedback)
Louise Ewing
Hi Natalie Williams - Thanks so much for your feedback in this area. As pinned above we have already started work on enhancements to how we handle attachments and Clips and are excited to deliver this new functionality to all users on all plans this Summer!
Tim Jasper
Clickup. Please stop everything and fix this immediately. Completely crazy that this is still an issue after three years. Do your customers know their attachments are open to the public. Is there a warning on your website when you are trying to sell them extra space to store their documents securely?
Natalie Williams
Tim Jasper I would say that the average user has absolutely no idea that their attachments/clips/forms are open to the public. I've been using clickup for years and only recently became aware of this fundamental flaw.
Louise Ewing
Hi Tim Jasper - as mentioned above we have enhancements in progress! follow this canny thread for the latest information
Nick Day
I got an email saying you responded, but when I clicked "reply" there was nothing here from you. Did you remove your reply, or perhaps I'm having some sort of issue?
Louise Ewing
Hi Nick
Thanks for sharing your feedback and for bringing visibility to these feature requests.
To enable easy sharing of attachments, this was an intentional design decision (and common across other products) where we developed a key using a randomized sequence of characters in the URL.
The only way to access attachments is if someone in your Workspace has sent you the link or if someone in your Workspace has manually posted the link on a public Internet page.
If you find that one of your ClickUp task attachments is on Google or another search engine due to a colleague publicly posting your link, please reach out to our Technical Support team, and they can permanently delete and remove these attachments if you're able to provide them with the URL.
The product team has a list of roadmap items to improve the functionality around our attachments feature. This includes how attachments can be accessed, disabled, etc. Though we do not have an exact release date, we can let you know it's on our active roadmap!
I have also shared this post directly with the leadership team so they have your direct feedback