Security of HipChat file uploads

Hi,

just checking out HipChat. We found uploaded files are sent to amazon s3 services and are freely available to anyone.

I thought privacy and security are #1 issues?

3 answers

1 accepted

This widget could not be displayed.

Hi Jochen,

Here are the facts about HipChat files:

  • Files uploaded to HipChat are stored on Amazon's S3 servers.
  • All uploaded files are accessible via an obscure URL which is shared with people in the chat when the file is uploaded.
  • Users are not required to be logged in to view uploaded files - they are visible to anyone who has the link. (This means the links can be shared easily with anyone you want to be able to view the file).

Many users ask whether this results in "secure" files (since URLs are "public"). We feel it provides the best of both worlds:

  • Sharing remains easy and frictionless.
  • The randomized set of characters has on the order of many sextillion potential combinations (nearly a trillion trillion). Compared to a common email / password login, it is significantly more difficult to guess and is different for every file.

We have considered offering authenticated access to uploaded files (i.e. requiring a username / password) but it is not part of our current subscription options.

I hope that at least clarifies the situation, although I will leave it to you to decide whether this is sufficient security for your files or not: http://help.hipchat.com/knowledgebase/articles/64477
All the best,
John

I don't find this to be an acceptable security solution whatsoever. Obscurity is not security.

This widget could not be displayed.

Obscurity is not security, as there are simply too many unexpected ways the URL can be leaked.  Here's an example:

  1. Somebody shares a document containing very sensitive data, say their tax information.
  2. The document contains a link to an article about tax optimization.
  3. Somebody clicks on the link in the document to read the article.
  4. Now, the webmaster of the article's site has your secure link in the referrer header.
  5. This information is often sold to DMPs, so now the whole internet has the link, even though nobody explicitly shared it and were otherwise very careful.

This is only one example... there are many others that nefarious groups are extremely familiar with.

Incidentally, this is not theoretical.  It actually happened to Dropbox: https://arstechnica.com/information-technology/2014/05/dropbox-disables-old-shared-links-after-tax-returns-end-up-on-gooogle/

This widget could not be displayed.

Hi Jochen,

The reason why this is done can be found here : http://help.hipchat.com/knowledgebase/articles/64477-are-files-uploaded-to-hipchat-secure-private-

Best regards,

Peter

The link is broken.

I cannot even search for that topic in the knowledgebase

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Aug 10, 2018 in Hipchat

What should I think about when migrating HipChat to Slack?

...from the beginning. We have built up a lot of content in HipChat, with it being a core tool in our distributed company model. While it is true that we didn’t need to move to Slack immediately, we felt it...

402 views 1 10
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you