Are all these third party powerups vetted safe?

Arthur Trinchera August 29, 2022

It's my first look at the powerups and I found a comprehensive field adder specifically Amazing Fields that has 50,000 user but it seemed to have access to every bit of info and be able to post and see pretty much everything including saved usernames and passwords.  I did look for this question before posting.

Thank you

2 answers

2 accepted

2 votes
Answer accepted
Allen -Amazing PowerUps-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 30, 2022

I can chime in as the developer of Amazing Fields. 

I have an faq entry about it as well: ( Why does Amazing Fields need so many Trello permissions? )

The summary is that all powerup generally have access to all your data on the board where it is enabled.  But powerups behave differently in what data they need and how they store it.  Amazing Fields keeps all of your card data on the Trello servers under your control.

As to usernames and passwords, Amazing Fields does not have any access to your credentials.  It does ask for approval so it can call APIs on your behalf, but that is through the standard Trello approval flow which does not give powerups any access to your credentials and allows you to revoke that access at any time.

If you have any additional questions, I am more than happy to answer them here or through support@amazingpowers.com

Arthur Trinchera September 1, 2022

Thank you for your answer. I am a low power, no power user. I was referring to passwords I have saved on my cards for my own reference. I assumed if my account was private it would be safe unless breached.

Arthur

Allen -Amazing PowerUps-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
September 2, 2022

That is correct.  In theory a powerup could access that data, but a well behaved powerup is not going to make a copy of your data to an external server or anything like that.

So for example the way Amazing Fields works, I would never see or have remote access to any of your data.  Your mileage may vary with other powerups so I would check with any you are concerned about.

Like Nic Brough -Adaptavist- likes this
0 votes
Answer accepted
Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 30, 2022

Welcome to the Atlassian Community!

Atlassian has some basic checks done on apps that are made publically available on the Marketplace, and has some security schemes for vendors.  It vets supplier partners to varying extents.  But it can't test for everything.

However, you use the example of Amazing Fields - yes, that can access all your data, but it sits within the permissions of Jira - if a user can't see an issue, then Amazing fields won't show them data from that issue.

You say it has access to saved usernames and passwords.  It does not really, not unless your users are putting usernames and passwords into fields on issues.  If they are doing that, you should be looking to discipline them...

Arthur Trinchera September 1, 2022

It's just me and I save usernames and passwords in comment fields. I assumed that was private and safe. Should I be disciplined? thank you for your answer!

Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
September 1, 2022

I hope this is not too harsh a thing to say but...

> "I save usernames and passwords in comment fields"

No.

Never, never, never, do that. 

User names, IDs, email addresses etc, you should probably avoid storing if you can because they do make it a bit easier for hackers and crackers, but you never store a password outside a password safe or a human brain (and don't trust the human brain, some of us are so dumb, we'd give a researcher a real password in exchange for a doughnut)

Storing a plain text password in an unencrypted way is, in short, a) a bad idea and b) almost certainly illegal in your country.

Like # people like this

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events