Secure Media Files on Internal Only KB's | Voters

Secure Media Files on Internal Only KB's

complete

Caleb Scharf

Our HJ KB is set to internal only, meaning users must login in order to view content.  I assumed that any media content (pictures, files and videos) that were uploaded to the KB would be secure to.  I just found out I was wrong and that all media files are uploaded to S3 and if someone has the link to these files, they can access them.  while this is unlikely, unlikely to be seen by anyone, this doesn't mean secure.
We really need these file to be secured.  
At the very least, HJ should put a disclaimer on that setting page to insure admins changing that setting are aware of this security risk.

February 4, 2022

Aziz Mejri

marked this post as

complete

Raksha Singh

The files should be saved even on partially public+internal KBs, that require SSO from users to log in.

Raksha Singh

Found the same issue, and it is a big privacy problem.

Jeff Penrod

I just found this myself.  A simple google search reveals every image in your storage directory.  Look at the image properties and copy that link.  Remove everything after /image/####/direct/ and paste into a google site search.  Everything shows up.  Helpjuice is storing all images/videos/docs in the same directory without any security standard.  Your account is the number between image/_____/direct
https://static.helpjuice.com/helpjuice_production/uploads/upload/image/
This is alarming.

Janiece Ray

+1 indeed. I assumed that internal meant internal for EVERYTHING posted that way. Thank you!

Josh Manders

+1 - Thanks for learning this for the rest of us.

Drew Holliday

Agreed.

Adam Botterbusch

Agreed!