Attachments added to my private tasks should NOT be available to anyone else. They belong to me and should be secure.
However, anyone on my network can use network sniffing or view my browser history (or look over my shoulder) and then open my private attachments on their own computer, WITHOUT LOGGING IN!
That's very dangerous. I would not store files on AWS because anyone can access them without authenticating! Attachments should be fully permission-based, otherwise you'll be looking at data theft. Remember: HTTPS does NOT hide browser download history, so any of my own these files that I download will be accessible to anyone on my computer, and like I mentioned, to anyone with a simple network sniffer on my LAN.
Example:
You can open any of these private attachments if you just know the URLs - go ahead!
My wife's private photo:
My private contract: https://quire.s3.amazonaws.com/pLs5KIKwFEdbc7MaUjXyGdoG/secret%20contract.txt
Compare this with an online Google Doc, which isn't accessible to anyone even if you guess its URL. DropBox files - same thing, you actually need to log in to download your files.
Amazon S3 service is common. Even Github still uses it (including private projects). If I remember correctly, Asana and Trello used it too (at least in the early days).
We do plan to replace with a fully-integrated one (honestly, its stability is not 100% so we have to do some retries to ensure it). But, you did mention something we overlooked. We'll come out with a quick and safer approach first.
Tom Yeh, Mar 7, 2018
You're right. Request's URL is not protected by HTTPS.
We raised it to high priority. Shall be fixed soon.
Tom Yeh, Mar 7, 2018
I just checked, and at least one other To-do and Project Planning website also uses AWS and stores files in a similar way, so it's not a unique problem. I hope there are cost-effective way to fix it.
Alexander Rendar, Mar 7, 2018
It shall be fixed now. New uploaded files will be protected by Quire server.
BTW, after studying a bit, I found SSL does protect URL: https://blog.httpwatch.com/2009/02/20/how-secure-are-query-strings-over-https/
Tom Yeh, Mar 16, 2018
Hi,
I promise you - this hack works and is possible. HTTPS does NOT encrypt file URLs when you download your own attachments. Anyone on your network can monitor network traffic and get these file names, and steal your files.
HTTPS encrypts content of web pages and other data, but NOT the requests to download files. Only a VPN will encrypt your ENTIRE traffic, including the file names and URLs.
So anyone on your network can use a network sniffer and get the file URLs, and then download those files. Also, if you use a PUBLIC computer - like in the library or Starbucks, the file downloads will be in the browser history. It doesn't matter if you log out of Quire - anyone using this PC can look at the browser history and download the same files.
HTTPS protects the CONTENTS of the file/request, but not the URL to which it's issued. And that's fine, the attacker only needs to know the URL to then download the file on his PC.
So there are two vectors of attack against this, plus the "looking over your shoulder" (or take a photo of your screen with the file path, then download the file on my own PC).
Alexander Rendar, Mar 7, 2018
Hi Alex, This is the limitation of using Amazon S3 for file storage. But the URLs aren't predictable. No one can guess, or memorize the long path we generate randomly even if they have a chance to look over your shoulder. Unless of course, you share the link with someone else directly. Having said that, we understand it is an issue and will think about it and introduce a solution in the near future. Meanwhile, you can choose to keep the your file links private by using Google Drive. P.S. Network sniffing should not be possible since it is protected by HTTPS.
Crystal, Mar 7, 2018