The attachment URL contains a random string. Trello assumes that nobody will guess this random string, and because of that attachments are hidden from others (as long as you don't share the attachment URL).
If that is not good enough, you could e.g. use a link to secure storage you control yourself instead of a Trello attachment.
That's fair enough!
I just found out by accidentally opening such a link in a private browser window.
At first, I was afraid too, but I don't think it's possible to detect Trello filenames on the S3 storage with an API without user credentials.
So this means that you have to guess the filename first and then this random string of about 80 characters.
My password for Trello may be easier to crack than this.
In the end, this can be very useful with this link as well.
@Byron Mann: I would recommend sharing your passwords and secrets in a common KeePass DB instead of on any other platform in plain text or image (also plaintext with OCR...), be it internal or on the web.
I only discovered this today, after realizing a friend posted an image of a config with secrets and passwords in Trello (since deleted) and I started to wonder if this was the case.
While yes, I do agree, it would be extreme effort to guess/crack a URL for one of these images, it is not impossible. Security by obscurity is not really a thing and pretty much unacceptable when common users are unaware of the potential danger.
It would be very easy to secure these images with signed URL's. So it begs the question, why not just do it?
This lax security outlook makes me want to not use Trello or other Atlassian products, which are used quite extensively through our organization.
Hello Community! My name is Brittany Joiner and I am a Trello enthusiast and Atlassian Community Leader. I'll be sharing with you a series of videos with my top tips on how to best use Trello...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events