Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Why are attachments on private Trello boards public?

James Brecknell
James Brecknell August 30, 2018

And by that I mean why can anyone with the link view the attachment, unlike anyone with a link to the board itself? How does Trello consider this to be secure?

Answer
Watch
Like # people like this
1467 views

2 answers

1 accepted

2 votes
Answer accepted
marc -Collabello--Phase Locked-
marc -Collabello--Phase Locked-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
August 30, 2018

The attachment URL contains a random string.  Trello assumes that nobody will guess this random string, and because of that attachments are hidden from others (as long as you don't share the attachment URL).

If that is not good enough, you could e.g. use a link to secure storage you control yourself instead of a Trello attachment.

View More Comments
James Brecknell
James Brecknell August 30, 2018

I wondered if that may be the case - that the random string makes the URL just like a very hard-to-crack password. Thanks for clarifying that.

Like
Florian Mühlethaler
Florian Mühlethaler September 17, 2019

That's fair enough!
I just found out by accidentally opening such a link in a private browser window.
At first, I was afraid too, but I don't think it's possible to detect Trello filenames on the S3 storage with an API without user credentials.
So this means that you have to guess the filename first and then this random string of about 80 characters.

My password for Trello may be easier to crack than this.
In the end, this can be very useful with this link as well.

@Byron Mann: I would recommend sharing your passwords and secrets in a common KeePass DB instead of on any other platform in plain text or image (also plaintext with OCR...), be it internal or on the web.

Like
Reply
0 votes
Byron Mann
Byron Mann July 23, 2019

I only discovered this today, after realizing a friend posted an image of a config with secrets and passwords in Trello (since deleted) and I started to wonder if this was the case. 

While yes, I do agree, it would be extreme effort to guess/crack a URL for one of these images, it is not impossible. Security by obscurity is not really a thing and pretty much unacceptable when common users are unaware of the potential danger.

It would be very easy to secure these images with signed URL's.  So it begs the question, why not just do it? 

This lax security outlook makes me want to not use Trello or other Atlassian products, which are used quite extensively through our organization.

View More Comments
marc -Collabello--Phase Locked-
marc -Collabello--Phase Locked-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
July 24, 2019

@Byron MannAs additional information:  Trello is somewhat different from the other Atlassian products, and their design and security differ also.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Trello
Trello
TAGS
AUG Leaders

Atlassian Community Events

    See all events