It's my first look at the powerups and I found a comprehensive field adder specifically Amazing Fields that has 50,000 user but it seemed to have access to every bit of info and be able to post and see pretty much everything including saved usernames and passwords. I did look for this question before posting.
I can chime in as the developer of Amazing Fields.
I have an faq entry about it as well: ( Why does Amazing Fields need so many Trello permissions? )
The summary is that all powerup generally have access to all your data on the board where it is enabled. But powerups behave differently in what data they need and how they store it. Amazing Fields keeps all of your card data on the Trello servers under your control.
As to usernames and passwords, Amazing Fields does not have any access to your credentials. It does ask for approval so it can call APIs on your behalf, but that is through the standard Trello approval flow which does not give powerups any access to your credentials and allows you to revoke that access at any time.
If you have any additional questions, I am more than happy to answer them here or through email@example.com
That is correct. In theory a powerup could access that data, but a well behaved powerup is not going to make a copy of your data to an external server or anything like that.
So for example the way Amazing Fields works, I would never see or have remote access to any of your data. Your mileage may vary with other powerups so I would check with any you are concerned about.
Welcome to the Atlassian Community!
Atlassian has some basic checks done on apps that are made publically available on the Marketplace, and has some security schemes for vendors. It vets supplier partners to varying extents. But it can't test for everything.
However, you use the example of Amazing Fields - yes, that can access all your data, but it sits within the permissions of Jira - if a user can't see an issue, then Amazing fields won't show them data from that issue.
You say it has access to saved usernames and passwords. It does not really, not unless your users are putting usernames and passwords into fields on issues. If they are doing that, you should be looking to discipline them...
I hope this is not too harsh a thing to say but...
> "I save usernames and passwords in comment fields"
Never, never, never, do that.
User names, IDs, email addresses etc, you should probably avoid storing if you can because they do make it a bit easier for hackers and crackers, but you never store a password outside a password safe or a human brain (and don't trust the human brain, some of us are so dumb, we'd give a researcher a real password in exchange for a doughnut)
Storing a plain text password in an unencrypted way is, in short, a) a bad idea and b) almost certainly illegal in your country.