HOLY SHIT. TIL: all images AND attachments posted in hipchat are stored in *public* S3 buckets. Copy url, paste anywhere, it downloads.
@yoz @lo_fye : unknown, but this isn't reassuring: https://answers.atlassian.com/questions/236324/security-of-hipchat-file-uploads …
-
-
@slightlylate@lo_fye Why not? Seems to say the URLs - which are effectively passwords - are unguessable. Again, what’s the threat model? -
@yoz@slightlylate to quot@ramsey a departing disgruntled employee stored a bunch of links. You can disable their account but not the links - 2 more replies
New conversation -
-
-
@slightlylate@lo_fye (And sorry if I’m pushing too hard on this, but use of URLs-as-secrets has always been fascinating to me.) -
@yoz@lo_fye : there's a whole draft on this! http://www.w3.org/TR/capability-urls/ … - 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
& Web Standards TL; Blink API OWNER
Named PWAs w/
DMs open. Tweets my own; press@google.com for official comms.