Finding HipChat is an insecure chat environment

I did some testing with HipChat Beta for Android here on 10/20/16. I have the Basic level service I am testing with.

I transmitted a test image in a 1 to one chat. The recipient found a option called "Copy link"  We pasted the link into a browser and pulled up the image unencrypted, no login required from the Amazon AWS S3 service.

https://aws.amazon.com/s3/

Here is the link:

https://s3.amazonaws.com/uploads.hipchat.com/642542/4454472/B5wvCGqAeIBjRED/A%20Swingin%20Christmas%201940s%20Style%20-%20Various%20Artists.jpg

My understanding is that HipChat is offering a secure chat environment with file sharing.  What I found out from this exercise is that any sensitive files communicated are exposed to the public at large. 

I attempted to delete the test files that were uploaded, but there is no option in the HipChat Beta for Android to allow deletion of the files.

Am I missing something here?  Is HipChat supposed to be a secure collabration environment for teams or not?

Are the contents of the "secure" chat also available unprotected elsewhere on the Amazon AWS S3 service?

How are the files that I have uploaded to be deleted from the Amazon AWS S3 server?

1 answer

This widget could not be displayed.
Evan Michner Atlassian Team Oct 21, 2016

Hi Mark,

Thanks for writing this up. You can find some more information on how HipChat has always handled files here: https://confluence.atlassian.com/hipchat/share-files-744525756.html 

The files you share are stored on Amazon's S3 servers and get a unique URL. The files can be viewed by anyone who has the URL. This means people who don't belong to your HipChat group can view the files if they have the files' URLs. These URLs are constructed from a random set of characters with nearly a trillion trillion possible combinations and are different for every file. 

However, we believe that many customers have different security needs, so please feel free to follow the feature request here that talks about securing those files further: https://jira.atlassian.com/browse/HCPUB-302 While we can't provide detailed information on the timeline for that work, we can assure you (and other customers) that we believe it's a priority and we plan to solve it for you.

Again, thanks for the time to provide the feedback – we truly appreciate it and it helps us balance priorities when we hear from our customers like this.

 

Evan

Suggest an answer

Log in or Sign up to answer
Atlassian Summit 2018

Meet the community IRL

Atlassian Summit is an excellent opportunity for in-person support, training, and networking.

Learn more
Community showcase
Published Friday in Hipchat

What should I think about when migrating HipChat to Slack?

...from the beginning. We have built up a lot of content in HipChat, with it being a core tool in our distributed company model. While it is true that we didn’t need to move to Slack immediately, we felt it...

176 views 1 9
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you