• Forums Home
  • >
  • Forma
  • >
  • Forma Forum
  • >
  • Data security risk - viewers invited to a single project can see folders of all projects in a Hub
Community
Forma Forum
Welcome to the Forma Community. Give feedback, report bugs, and tell us your ideas about Autodesk Forma
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Data security risk - viewers invited to a single project can see folders of all projects in a Hub

2 REPLIES 2
SOLVED
Back to Forma Category
Back to Topic Listing
Reply
Message 1 of 3
henri.puolanne
Explorer
523 Views, 2 Replies
‎06-25-2024 12:39 AM
‎06-25-2024 12:39 AM

Data security risk - viewers invited to a single project can see folders of all projects in a Hub

Hi,

 

We noticed a potential data security risk when sharing our Forma projects with third parties. Turns out that when a person outside our organisation is invited to a project as a Viewer, they can see all the folders in our Forma Hub. All projects the Viewers haven't been invited to are invisible, as are the contents of the folders, but the folders themselves and their names are visible.

 

This is a small thing, but we have several confidential projects running in Forma, and having their names leak out through something like this can have fairly serious consequences. Is this something that could possibly be addressed in a future update?

 

Thank you!

Report
Labels (1)
Labels:
0 Likes
Reply
2 REPLIES 2
Message 2 of 3
kasper.herlov
Autodesk
in reply to: henri.puolanne
‎06-27-2024 12:45 AM
‎06-27-2024 12:45 AM

Hey @henri.puolanne 
Thank you for submitting this, appreciate it! We found the same error, which is an unfortunate biproduct of other parts of the app. It is obviously not the intent that project users should be able to see anything but the specific project(s) they are part of. We are working on a fix and will circle back when done!

Best
Kasper, Principal Product Manager @ Autodesk Forma

Report
Reply
Message 3 of 3
nick_skelsey
Autodesk
in reply to: henri.puolanne
‎06-27-2024 06:52 AM
‎06-27-2024 06:52 AM

Hi @henri.puolanne, our team appreciates your feedback to build a secure product. We confirmed your findings and deployed a fix to the application. Unfortunately, this issue slipped through the cracks of our code review, security testing, and deployment processes, and for that, we sincerely apologize.

Reports like yours are incredibly valuable to us. If you or other contributors find any future issues, please send them to Autodesk’s Trust Center. This keeps the issue confidential from potential abusers and allows our incident response team to promptly engage the right team to fix the issue more swiftly.

Thanks,
Nick, Senior Security Engineer @ Autodesk Forma

 

Report
0 Likes
Reply
Reply

Forums Links

Can't find what you're looking for? Ask the community or share your knowledge.

Post to forums  

Autodesk Design & Make Report

Report a website issue