Open Forum

 View Only
  • 1.  Security Concern with Uploaded Files

    Posted 11-17-2020 14:32
    Edited by Yehuda Isenberg 11-17-2020 15:07

    We recently noticed that file uploads (for sessions, and other uploads) are being stored on an Amazon Server, which isn't secure.  If uploaded documents are stored on an unsecure Amazon Web Server, what prevents outside people (non-authorized people) from gaining access to our sensitive documents? They can use a webcrawler/webbot to find the correct URL.

     Our EVENT requires login to access the any event information, but the link can be shared/found by anyone?!   This is a major security concern for us, and when we've spoken to people at cVent support, they best solution they offered was to not upload files into Compass, which defeats the purpose of the functionality. Does anyone else have this concern?

    Additionally, I one puts this in their browser, you'll see MANY organizations private events.

    https://www.google.com/search?q=site%3Aamazonaws.com%2Fv3-app_crowdc%2Fassets


    #EventApp-Building/managing

    ------------------------------
    Yehuda
    ------------------------------


  • 2.  RE: Security Concern with Uploaded Files

    Cvent Staff
    Posted 11-18-2020 15:24
    Hi Yehuda, 

    Thank you for reaching out to the Community with your concerns! We escalated your post to the Information Security Team and Product leadership for their expertise and they provide the following guidance.

    We've looked into the customer's concerns and understand them to be:

    1. The confidentiality of file uploads related to your CrowdCompass event(s);
    2. The security configuration of our AWS S3 infrastructure used to store CrowdCompass file uploads.

    As for item #1, access by attendees to CrowdCompass events can be restricted by event planners with multiple security options, including configuring access to events to be "hidden" (which simply obscures the event) or "login-required" (which requires the attendee to produce an event credential). However, as CrowdCompass is a solution to promote events and support engagement, once they securely access the event, the ability for event attendees to access and share event content object URLs (should they know how) is and has been the natural state of the solution. If strict event confidentiality is important to CrowdCompass event planners, we suggest that document sharing be disabled for their events, which limits access to file uploads to native mobile applications (vs. web browsers).

    As for item #2, we've investigated the security configuration of our S3 infrastructure and have confirmed that S3 buckets that house CrowdCompass file uploads are not able to be directly indexed by search engines like Google. Instead, we believe that, per item #1, URLs are first published by CrowdCompass event planners in other domains and subsequently indexed by Google. (This explains why only a few hundred URLs are returned in Google search results; if we had a systemic problem, there would be many more CrowdCompass URLs indexed by Google.)

    I hope this response to your concerns is clear. Meanwhile, we are always looking for ways to add optional security features for our customers and your points here have been passed along to the CrowdCompass Product team for strong consideration.

    Thanks again for reaching out to the Community!

    ------------------------------
    Jodi Meier
    Online Community Manager
    ------------------------------