Security of HipChat file uploads

Jochen Häberle November 21, 2013

Hi,

just checking out HipChat. We found uploaded files are sent to amazon s3 services and are freely available to anyone.

I thought privacy and security are #1 issues?

3 answers

1 accepted

0 votes
Answer accepted
JohnA
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
November 21, 2013

Hi Jochen,

Here are the facts about HipChat files:

  • Files uploaded to HipChat are stored on Amazon's S3 servers.
  • All uploaded files are accessible via an obscure URL which is shared with people in the chat when the file is uploaded.
  • Users are not required to be logged in to view uploaded files - they are visible to anyone who has the link. (This means the links can be shared easily with anyone you want to be able to view the file).

Many users ask whether this results in "secure" files (since URLs are "public"). We feel it provides the best of both worlds:

  • Sharing remains easy and frictionless.
  • The randomized set of characters has on the order of many sextillion potential combinations (nearly a trillion trillion). Compared to a common email / password login, it is significantly more difficult to guess and is different for every file.

We have considered offering authenticated access to uploaded files (i.e. requiring a username / password) but it is not part of our current subscription options.

I hope that at least clarifies the situation, although I will leave it to you to decide whether this is sufficient security for your files or not: http://help.hipchat.com/knowledgebase/articles/64477
All the best,
John
Matt Butalla February 16, 2017

I don't find this to be an acceptable security solution whatsoever. Obscurity is not security.

Like Mika Reivari likes this
4 votes
Corey Theiss October 5, 2017

Obscurity is not security, as there are simply too many unexpected ways the URL can be leaked.  Here's an example:

  1. Somebody shares a document containing very sensitive data, say their tax information.
  2. The document contains a link to an article about tax optimization.
  3. Somebody clicks on the link in the document to read the article.
  4. Now, the webmaster of the article's site has your secure link in the referrer header.
  5. This information is often sold to DMPs, so now the whole internet has the link, even though nobody explicitly shared it and were otherwise very careful.

This is only one example... there are many others that nefarious groups are extremely familiar with.

Incidentally, this is not theoretical.  It actually happened to Dropbox: https://arstechnica.com/information-technology/2014/05/dropbox-disables-old-shared-links-after-tax-returns-end-up-on-gooogle/

0 votes
Peter Van de Voorde
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
November 21, 2013

Hi Jochen,

The reason why this is done can be found here : http://help.hipchat.com/knowledgebase/articles/64477-are-files-uploaded-to-hipchat-secure-private-

Best regards,

Peter

gomfucius February 16, 2017

The link is broken.

JA Simmons V April 11, 2018

I cannot even search for that topic in the knowledgebase

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events