Gal Bezalel, Data Analysis Team Leader
August 15, 2022
After realizing any user with access to a Confluence page can view the LucidCharts embedded in the page (even if the document was not explicitly shared with them), we sent a report to Lucid. Super professional, Lucid responded immediately and it turns out the behavior we observed is intentional! We thought you might be interested.
And More Elaborately
At Reco, we LOVE using various technologies to collaborate. Knowing that with great love comes great responsibility, as we take great care to protect the privacy of our customer’s data, we pay the same amount of attention to the privacy of our own data. In other words, we have come to expect reporting potentially dangerous behaviors in collaborative tools and have learnt that it is always better to err on the side of caution and double check everything. The account of one such case is provided below.
We have been using LucidChart quite a lot recently, mainly to plot some architectural design ideas for our platform. To leverage the debate surrounding those, we used the LucidChart Diagram Connector widgets to integrate several charts in Confluence pages. As expected, there were comments on the diagram’s components as well as on the textual design docs in Confluence.
One night, however, a thought came to mind – the kind of thought working at Reco for a year invokes: LucidCharts are secure on their own, but what if those diagrams, which include sensitive data, were made accessible to anybody with access to those Confluence pages? What if one of our clients uses it similarly to us, and could be exposed to such risks? We conducted a little experiment – and a video is worth a thousand words.
We sent the report to Lucid following all the standard vulnerability disclosure procedures.
Here’s the verbatim Vulnerability Report, as we handed it to Lucid:
Date the vulnerability was observed: July 24th, 2022
Description of the vulnerability:
Instructions to duplicate the vulnerability:
Seth Manesse and Nathan Cooper from Lucid were incredibly responsive and professional. They responded in less than a day – Kudos! To our surprise, the behaviour we observed is intentional!
In fact, Lucid don’t view themselves as responsible for an organization’s collaboration security:
“The reason this is built this way is that the act of embedding a diagram into a Confluence page implies the user would like the diagram to be part of the Confluence page.”
Lucid continued to double down on their excellent response and even shared that they want to point out – in the UI – that a document has been shared:
“We do think it would be helpful to indicate in the share dialog on the document that the document has been embedded in an external system. We are currently exploring designs for a mechanism to do this, with no current estimated date of delivery.”
From their perspective, as the correspondence suggests, this behavior is 100% valid; however, we believe that if you’re a CISO (chief information security officer) – you want security at the source and all the collaborations in between (in case someone accesses the page without business justification, because they are a part of the space or were accidently added to an active directory group).
As the data moves about between systems it changes business contexts and access lists. Using Lucid, you may, for instance, share directly through Lucid, share links via Slack or email, and embed charts inside Confluence pages. Altogether, this was a textbook case of the is-ought problem: data assets ARE secured at each source, but they OUGHT to be secured when we collaborate on them; since without collaboration, data is useless.