Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Next challenges

Recent achievements

  • Global
  • Personal

Recognition

  • Give kudos
  • Received
  • Given

Leaderboard

  • Global

Trophy case

Kudos (beta program)

Kudos logo

You've been invited into the Kudos (beta program) private group. Chat with others in the program, or give feedback to Atlassian.

View group

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Why are attachments on private Trello boards public?

And by that I mean why can anyone with the link view the attachment, unlike anyone with a link to the board itself? How does Trello consider this to be secure?

2 answers

1 accepted

2 votes
Answer accepted

The attachment URL contains a random string.  Trello assumes that nobody will guess this random string, and because of that attachments are hidden from others (as long as you don't share the attachment URL).

If that is not good enough, you could e.g. use a link to secure storage you control yourself instead of a Trello attachment.

I wondered if that may be the case - that the random string makes the URL just like a very hard-to-crack password. Thanks for clarifying that.

That's fair enough!
I just found out by accidentally opening such a link in a private browser window.
At first, I was afraid too, but I don't think it's possible to detect Trello filenames on the S3 storage with an API without user credentials.
So this means that you have to guess the filename first and then this random string of about 80 characters.

My password for Trello may be easier to crack than this.
In the end, this can be very useful with this link as well.

@Byron Mann: I would recommend sharing your passwords and secrets in a common KeePass DB instead of on any other platform in plain text or image (also plaintext with OCR...), be it internal or on the web.

I only discovered this today, after realizing a friend posted an image of a config with secrets and passwords in Trello (since deleted) and I started to wonder if this was the case. 

While yes, I do agree, it would be extreme effort to guess/crack a URL for one of these images, it is not impossible. Security by obscurity is not really a thing and pretty much unacceptable when common users are unaware of the potential danger.

It would be very easy to secure these images with signed URL's.  So it begs the question, why not just do it? 

This lax security outlook makes me want to not use Trello or other Atlassian products, which are used quite extensively through our organization.

@Byron MannAs additional information:  Trello is somewhat different from the other Atlassian products, and their design and security differ also.

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Trello

📹 What is Trello?

Hello Community!  My name is Brittany Joiner and I am a Trello enthusiast and Atlassian Community Leader. I'll be sharing with you a series of videos with my top tips on how to best use Trello...

330 views 10 22
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you