Receipt images on unsecured AWS S3 bucket
tsmith
Member Posts: 22
I noticed that receipt images are on a publically accessible AWS S3 bucket, and don't require any sort of credentials to access, simply knowing the url (which is complex - but not secured). To test, log into wave and view a receipt, and then copy that url into another browser or computer which hasn't authenticated into wave, and you will still be able to view the receipt. This means any personal identifying information is unsecured. I'm curious to hear feedback about this.
2
Comments
Hi @tsmith thanks for joining the conversation. I've shared this feedback with our team and I understand that the reason storage method is related to how the support for this integration was rolled out. An update to change this is in the pipeline and nearly complete. If you'd like, we can follow up with you when it is released.
Yes, please follow up! I appreciate it. Some receipts have account information, so I'm concerned about them falling into the wrong hands.
Thanks.
Hey! Just an update that one of our engineering managers is working through this problem with our Information Security Officer. I don't have an ETA on when we'll roll out the update, but I expect it will be soon. I'll let you know when I know.
Individual receipt images are still publicly accessible. Do you have an update or an ETA when it will be corrected?
Hi @jchazo . I spoke to our developers and although they have a proof of concept, it still needs to be tested out. Currently we don't have an exact ETA as to when that will be.
@alexlewiszarkos What is the status of this? Some receipts have my bank routing and account number, meaning my PII is available on an unsecured AWS bucket! It's been 6 months since this was brought to wave's attention. If someone stumbles across the bucket, and starts crawling for data - the data breach would be devastating for Wave. Please fix so I don't have to switch to another platform.
Thanks for your patience here @tsmith. I've just gone ahead and sent you a support ticket email so that our engineers have more visibility as to what's going on here. In the email, I stated that we have a tentative fix for this to be deployed on the 1st of August. Thanks for your continued patience until then.
@JamieD - Any updates on this?
Hey @tsmith
We understand that you’ve actively reached out about this issue regarding the security of our receipts function and we absolutely appreciate your concern over this. At the moment, we have no updates to share. As we do believe that this is something that should see an update, this has been ticketed for our product team and they are aware of the issue. They’ve decided that this isn’t something that they’ll be fixing at the moment, but they will revisit it in the future. As always, we appreciate you for putting this on our radar.
To any of our community members, feel free to +1 this thread.
Please pass along to the dev team that this is forcing me to move to another platform, even though I’ve enjoyed the Wave system.
Hi @tsmith . Thanks for this feedback, I'll definitely pass it along to the team.
Just realized this and was about to open up a discussion 'till I saw this one.
Completely understand @tsmith 's perspective as I share it. How is the development team currently planning for this?
Also would like to quickly propose another idea: allowing users link their own files with their own storage solutions (Google Drive, OneDrive, etc). Those files wouldn't be subject to the current security problem, as those links only work with authentication by the respective account, and would be cheaper to Wave since it won't have to pay for additional AWS storage.
Hey @dangosarecute
Thanks for this tip! Our product team is aware of this issue and scanning the community forum for more feedback. Apologies there has been no fix for this.