After realizing any user with access to a Confluence page can view the LucidCharts embedded in the page (even if the document was not explicitly shared with them), we sent a report to Lucid. Super professional, Lucid responded immediately and it turns out the behavior we observed is intentional! We thought you might be interested.
And More Elaborately
At Reco, we LOVE using various technologies to collaborate. Knowing that with great love comes great responsibility, as we take great care to protect the privacy of our customer’s data, we pay the same amount of attention to the privacy of our own data. In other words, we have come to expect reporting potentially dangerous behaviors in collaborative tools and have learnt that it is always better to err on the side of caution and double check everything. The account of one such case is provided below.
We have been using LucidChart quite a lot recently, mainly to plot some architectural design ideas for our platform. To leverage the debate surrounding those, we used the LucidChart Diagram Connector widgets to integrate several charts in Confluence pages. As expected, there were comments on the diagram’s components as well as on the textual design docs in Confluence.
One night, however, a thought came to mind – the kind of thought working at Reco for a year invokes: LucidCharts are secure on their own, but what if those diagrams, which include sensitive data, were made accessible to anybody with access to those Confluence pages? What if one of our clients uses it similarly to us, and could be exposed to such risks? We conducted a little experiment – and a video is worth a thousand words.
Communicating the report to Lucid
We sent the report to Lucid following all the standard vulnerability disclosure procedures.
Here’s the verbatim Vulnerability Report, as we handed it to Lucid:
- Lucidchart Diagram Connector
- Lucidchart Diagrams Connector | Atlassian Marketplace
- Vendor: Lucid Software
- App key: com.lucidchart.confluence.plugins.lucid-confluence
- Version: 2.0.22-AC
Date the vulnerability was observed: July 24th, 2022
Description of the vulnerability:
- A Lucidchart document (diagram) with private visibility scope is visible to any user with access to a Confluence page that has a Lucidchart Diagram Connector widget showing the diagram.
Instructions to duplicate the vulnerability:
- Video of steps to reproduce: https://youtu.be/EO3Am7uhQ6Y
- Log in to Lucidchart using your organizational account.
- Create a new Lucidchart Blank Document (For validation: add some unique content to the canvas)
- Make sure that a tooltip with the text “this document is currently private” shows by hovering over the “Share” button at the top-right corner of the Lucidchart window. Do not modify any permissions to the document.
- Log in to Atlassian Confluence using your organizational account.
- Create a new Page.
- On the page, add a new Lucidchart Diagrams Connector widget. Configure it to show the newly created Lucidchart document.
- Publish the page (optional: set access restrictions to the page).
- Any user with access to the page can view the Lucidchart document via the widget, even if they were not explicitly shared with the document.
Seth Manesse and Nathan Cooper from Lucid were incredibly responsive and professional. They responded in less than a day – Kudos! To our surprise, the behaviour we observed is intentional!
In fact, Lucid don’t view themselves as responsible for an organization’s collaboration security:
“The reason this is built this way is that the act of embedding a diagram into a Confluence page implies the user would like the diagram to be part of the Confluence page.”
Lucid continued to double down on their excellent response and even shared that they want to point out – in the UI – that a document has been shared:
“We do think it would be helpful to indicate in the share dialog on the document that the document has been embedded in an external system. We are currently exploring designs for a mechanism to do this, with no current estimated date of delivery.”
From their perspective, as the correspondence suggests, this behavior is 100% valid; however, we believe that if you’re a CISO (chief information security officer) – you want security at the source and all the collaborations in between (in case someone accesses the page without business justification, because they are a part of the space or were accidently added to an active directory group).
As the data moves about between systems it changes business contexts and access lists. Using Lucid, you may, for instance, share directly through Lucid, share links via Slack or email, and embed charts inside Confluence pages. Altogether, this was a textbook case of the is-ought problem: data assets ARE secured at each source, but they OUGHT to be secured when we collaborate on them; since without collaboration, data is useless.