It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Security of HipChat file uploads

Hi,

just checking out HipChat. We found uploaded files are sent to amazon s3 services and are freely available to anyone.

I thought privacy and security are #1 issues?

3 answers

1 accepted

0 votes
Answer accepted

Hi Jochen,

Here are the facts about HipChat files:

  • Files uploaded to HipChat are stored on Amazon's S3 servers.
  • All uploaded files are accessible via an obscure URL which is shared with people in the chat when the file is uploaded.
  • Users are not required to be logged in to view uploaded files - they are visible to anyone who has the link. (This means the links can be shared easily with anyone you want to be able to view the file).

Many users ask whether this results in "secure" files (since URLs are "public"). We feel it provides the best of both worlds:

  • Sharing remains easy and frictionless.
  • The randomized set of characters has on the order of many sextillion potential combinations (nearly a trillion trillion). Compared to a common email / password login, it is significantly more difficult to guess and is different for every file.

We have considered offering authenticated access to uploaded files (i.e. requiring a username / password) but it is not part of our current subscription options.

I hope that at least clarifies the situation, although I will leave it to you to decide whether this is sufficient security for your files or not: http://help.hipchat.com/knowledgebase/articles/64477
All the best,
John

I don't find this to be an acceptable security solution whatsoever. Obscurity is not security.

Like Mika Reivari likes this

Obscurity is not security, as there are simply too many unexpected ways the URL can be leaked.  Here's an example:

  1. Somebody shares a document containing very sensitive data, say their tax information.
  2. The document contains a link to an article about tax optimization.
  3. Somebody clicks on the link in the document to read the article.
  4. Now, the webmaster of the article's site has your secure link in the referrer header.
  5. This information is often sold to DMPs, so now the whole internet has the link, even though nobody explicitly shared it and were otherwise very careful.

This is only one example... there are many others that nefarious groups are extremely familiar with.

Incidentally, this is not theoretical.  It actually happened to Dropbox: https://arstechnica.com/information-technology/2014/05/dropbox-disables-old-shared-links-after-tax-returns-end-up-on-gooogle/

Hi Jochen,

The reason why this is done can be found here : http://help.hipchat.com/knowledgebase/articles/64477-are-files-uploaded-to-hipchat-secure-private-

Best regards,

Peter

The link is broken.

I cannot even search for that topic in the knowledgebase

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Hipchat

Hipchat Cloud and Stride have reached End of Life (updated)

All good things come to an end - thanks to all our customers and partners who have been along the Hipchat and Stride journey with us.  As of Feb 15th 2019, Hipchat Cloud and Stride have reached ...

35,508 views 9 8
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you