HOLY SHIT. TIL: all images AND attachments posted in hipchat are stored in *public* S3 buckets. Copy url, paste anywhere, it downloads.
-
-
Replying to @lo_fye
@lo_fye@slightlylate What’s the threat model that makes this a significant issue?1 reply 0 retweets 0 likes -
Replying to @yoz
@yoz@slightlylate we use hipchat in place of email, so we send lots of sensitive attachments via hipchat :-/1 reply 0 retweets 0 likes -
Replying to @lo_fye
@lo_fye@slightlylate Right, but how would those URLs be leaked? Are they guessable?1 reply 0 retweets 0 likes -
Replying to @yoz
@yoz@lo_fye : unknown, but this isn't reassuring: https://answers.atlassian.com/questions/236324/security-of-hipchat-file-uploads …2 replies 0 retweets 0 likes -
Replying to @slightlylate
@slightlylate@lo_fye (And sorry if I’m pushing too hard on this, but use of URLs-as-secrets has always been fascinating to me.)1 reply 0 retweets 0 likes
@yoz @lo_fye : there's a whole draft on this! http://www.w3.org/TR/capability-urls/ …
-
-
Replying to @slightlylate
@slightlylate@lo_fye Oh fab, thank you. (And it includes Linden’s usage, which is where I first really encountered this)0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
& Web Standards TL; Blink API OWNER
Named PWAs w/
DMs open. Tweets my own; press@google.com for official comms.