Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,365,163
Community Members
 
Community Events
168
Community Groups

Are all these third party powerups vetted safe?

It's my first look at the powerups and I found a comprehensive field adder specifically Amazing Fields that has 50,000 user but it seemed to have access to every bit of info and be able to post and see pretty much everything including saved usernames and passwords.  I did look for this question before posting.

Thank you

2 answers

2 accepted

2 votes
Answer accepted

I can chime in as the developer of Amazing Fields. 

I have an faq entry about it as well: ( Why does Amazing Fields need so many Trello permissions? )

The summary is that all powerup generally have access to all your data on the board where it is enabled.  But powerups behave differently in what data they need and how they store it.  Amazing Fields keeps all of your card data on the Trello servers under your control.

As to usernames and passwords, Amazing Fields does not have any access to your credentials.  It does ask for approval so it can call APIs on your behalf, but that is through the standard Trello approval flow which does not give powerups any access to your credentials and allows you to revoke that access at any time.

If you have any additional questions, I am more than happy to answer them here or through support@amazingpowers.com

Thank you for your answer. I am a low power, no power user. I was referring to passwords I have saved on my cards for my own reference. I assumed if my account was private it would be safe unless breached.

Arthur

That is correct.  In theory a powerup could access that data, but a well behaved powerup is not going to make a copy of your data to an external server or anything like that.

So for example the way Amazing Fields works, I would never see or have remote access to any of your data.  Your mileage may vary with other powerups so I would check with any you are concerned about.

Like Nic Brough _Adaptavist_ likes this
0 votes
Answer accepted

Welcome to the Atlassian Community!

Atlassian has some basic checks done on apps that are made publically available on the Marketplace, and has some security schemes for vendors.  It vets supplier partners to varying extents.  But it can't test for everything.

However, you use the example of Amazing Fields - yes, that can access all your data, but it sits within the permissions of Jira - if a user can't see an issue, then Amazing fields won't show them data from that issue.

You say it has access to saved usernames and passwords.  It does not really, not unless your users are putting usernames and passwords into fields on issues.  If they are doing that, you should be looking to discipline them...

It's just me and I save usernames and passwords in comment fields. I assumed that was private and safe. Should I be disciplined? thank you for your answer!

I hope this is not too harsh a thing to say but...

> "I save usernames and passwords in comment fields"

No.

Never, never, never, do that. 

User names, IDs, email addresses etc, you should probably avoid storing if you can because they do make it a bit easier for hackers and crackers, but you never store a password outside a password safe or a human brain (and don't trust the human brain, some of us are so dumb, we'd give a researcher a real password in exchange for a doughnut)

Storing a plain text password in an unencrypted way is, in short, a) a bad idea and b) almost certainly illegal in your country.

Suggest an answer

Log in or Sign up to answer
TAGS

Atlassian Community Events