Hi,
We noticed a potential data security risk when sharing our Forma projects with third parties. Turns out that when a person outside our organisation is invited to a project as a Viewer, they can see all the folders in our Forma Hub. All projects the Viewers haven't been invited to are invisible, as are the contents of the folders, but the folders themselves and their names are visible.
This is a small thing, but we have several confidential projects running in Forma, and having their names leak out through something like this can have fairly serious consequences. Is this something that could possibly be addressed in a future update?
Thank you!
Solved! Go to Solution.
Solved by nick_skelsey. Go to Solution.
Hey @henri.puolanne
Thank you for submitting this, appreciate it! We found the same error, which is an unfortunate biproduct of other parts of the app. It is obviously not the intent that project users should be able to see anything but the specific project(s) they are part of. We are working on a fix and will circle back when done!
Best
Kasper, Principal Product Manager @ Autodesk Forma
Hi @henri.puolanne, our team appreciates your feedback to build a secure product. We confirmed your findings and deployed a fix to the application. Unfortunately, this issue slipped through the cracks of our code review, security testing, and deployment processes, and for that, we sincerely apologize.
Reports like yours are incredibly valuable to us. If you or other contributors find any future issues, please send them to Autodesk’s Trust Center. This keeps the issue confidential from potential abusers and allows our incident response team to promptly engage the right team to fix the issue more swiftly.
Thanks,
Nick, Senior Security Engineer @ Autodesk Forma
Can't find what you're looking for? Ask the community or share your knowledge.