Level 2

Question

Can developers address security loopholes in proof notification links?

Forum|Forum|5 years ago
December 16, 2020
7 replies
2249 views

I recently had the experience of a guest user gaining unauthorized access to my account when I inadvertently forwarded an internal proof notification.

Support explained the following: "From what you are saying it sounds like those users are getting your routing link through a forwarded email, and they aren't noticing that it's logging them in as you. The URL attached to those emails is linked to your credentials for that proof, so anyone who follows the link will be entered into the proof as you. There is a setting on each proof to change that behavior by requiring users to log in to the proof, that will prevent people who ended up with your personalized link from making changes as you. This will, however, prevent unlicensed users from accessing the proof. If all of your work is done internally and you don't have to have guest users, and external users access the proof then this would be the best route. If you do need external users to have access then it would be best to not forward notification emails from proof, as they contain that personalized link."

Would be possible in a future update to close this loophole by somehow referencing IP Addresses to block this type of access to guest users?

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

kynabaker16

Adobe Employee

Hey Joel,

Do you have access to the Innovation Lab to submit this as an official "idea" that other people can vote on? Also, I'll be sure to send this to the product managers over proof and see what we can do on that end as well.

Kyna

J

JoelClAuthor

Level 2

Hi Kyna. I am new to the community and thought I had submitted to the Lab. I've just done a deeper search, and found what you refer to. I will submit it as you suggested. Thank you!

kynabaker16

Adobe Employee

Wonderful! I'm so glad you're here (in the Community), that you're posting (I really hope to see more questions from you over time) AND I'm glad you found the Innovation Lab. For future reference, when you submit an in idea to the Innovation Lab, it's totally okay to post about it in the community as well so others might see it in the digest emails and go and vote on your idea!

K

KevinQu1

Level 10

@Kyna Baker - inactive‚, well-meaning as "put it in Innovation Lab" seems, there are too few Workfront Proof users vs. mainline Workfront users to get much traction in the Innovation Lab on Proof issues; so I don't find it to be a viable avenue for changes not directly related to Workfront.

I've received the answer @Joel Clements‚ had, and a few other variants on a theme, and they really come off as "it's working as intended, sorry" or "train your users better, sorry."

We've considered this a glaring security issue since we joined Workfront and are of the opinion this should be taken-up ASAP and not part of the wait-for-a-vote Innovation Lab (previously Idea Exchange) route. It creates a huge accountability issue and other systems of this type provide links that still require the user to log-in as themselves. Security 101 really.

Embedded credentials on a URL link may as well be the same as plaintext login, which is a much frowned-up IT practice; just to name one way to look at this‚Ä¶I can go on with more reasons this practice is bad for security, accountability, a paper trail in Legal/Regulatory environments.

I suggest Joel do what we did and push via their account representative as well, I think WF needs to know this isn't just an "idea," it's really a serious bug/oversight. Also feel free to mention my ticket #00235420.

J

JoelClAuthor

Level 2

Thanks for sharing your experience, Kevin.

When I first saw my decision on a proof changed, and then saw comments on a proof attributed to me which I did not make, I was quite confused. When I was told that anyone who gets hold of my personal proof link can access proofs without needing login credentials‚Ä¶ well, I was deeply disturbed!

The latest incident resulted in mass confusion regarding proof feedback and logged decisions, and a missed deadline. Luckily this happened a longtime customer, and I didn't have to do much to repair my credibility with them.

As you said, this is a GLARING security issue.

I will also try to see if anyone at Workfront will take this issue seriously.

Cheers,

Joel

Heather_Kulbacki

Community Advisor

We forward proof notifications pretty regularly - to reviewers who do not have a Workfront login - and have to constantly remind them NOT to use the Make Decision button. We've found forwarding the proof (mostly) works for us, except for the confusion that is caused when comments are made by someone other than who it looks like made them.

We wouldn't want to have to create a Workfront account for EVERY SINGLE proof reviewer. But ideally (for us) that forwarded notification would allow the reviewer to get into the proof and make their edits (no decision) but also require them to enter their name, email, or both just so we know who made the comments.

J

JoelClAuthor

Level 2

Heather, You don't need to create an account for every single proof reviewer. You can invite reviewers as "guest users". Just add their email address in the Workflow when you create your proof and they will have access under their own identity without needing a paid Workfront account. This sends them a link to the proof, and any comments decisions are attributed to them. Guest users do not need a Workfront account.

However, if you enable the "Secure proofing" under proof setting, only licensed users can access a proof.

Heather_Kulbacki

Community Advisor

For us, the person creating the proof and setting up the workflow doesn't know who these reviewers are that the notification gets forwarded to. We have one contact that we send the proof to and it's their responsibility to get addition comments from whoever else needs to review.

We've also tried using the "forward this proof to someone else" link and have found that has too many hoops to jump through before any additional reviewers can actually access the proof, since the proof owner needs to approve anyone added this way plus someone has to move that user to the correct stage once approved.

Ideally, for us, when someone uses the "forward this proof to someone else" link, anyone added would be added to the same stage as whoever is adding them and no one else would have to approve whoever is added before they can actually access the proof.

But I'm sure there are other organizations that would still want a project owner or proof owner to approve anyone added to a proof before access is allowed.

J

JoelClAuthor

Level 2

I am not an IT expert, but I would think there must be a way to utilize IP addresses to solve the security issue. When I spoke to Customer Support yesterday it was clear to me that they know this is an issue, but there is little will on their part to address it. They just say "Don't share your proof notifications with anyone".

imgrund

Adobe Employee

Hi - For me personally, it doesn't make any sense for the Designer to be the one in charge of a proof if they do not know who the reviewers are. There are two options I see..

1 - The Designer still creates the proof but makes the Project Owner the proof owner (you can have different proof owners and proof creators). The Project Owner then goes in and adds the correct reviewers and manages everything else from there.

2 - For the first version, the designer uploads the file as a regular document. The project Owner then uses the new-ish Create Proof option (which allows for Basic or Advance for those using workflow templates) and they own the proof. When the designer is done creating Version 2, they can upload it to a comment on the first version and tag the Project Owner. This way, they can see if all the comments have been resolved as well as download the V2 to upload to the proof.

We have over 700 proofs a day and 13,000 and we have never needed to forward an email notification to someone. As mentioned above, you can easily add guests to your proofs just by adding their email address to it. Complicating it with IP addresses (especially in this remote working world), doesn't seem necessary to me.

J

JillAc

Level 10

Hi Anthony - the one part of your process that I don't understand is why not upload V2 as a proof and delete all the existing people except the one who is the actual owner who can then easily use the compare tool for V1 to V2?

We also do something new that has been kind of working for certain types of projects that require quicker turnaround -- still some training of the designers to read the brief! In the brief we have a space to list who should get the V1 proof so the designer can share it correctly when they upload it. This saves about 1/2 day waiting for the manager to get to it, and moves things along a bit faster. Of course this only is for internal proofs as we wouldn't want an external person to see a proof before we have signed off internally first. Then the project manager shares it with any additional external or other stakeholders once they are ok that it is ready to be shared, or decide to wait for V2 if the edits are material or embarrassing.

imgrund

Adobe Employee

Hi Jill - The designer doesn't want to have to delete 30-something people and the project owner doesn't want to have to add them back every time. Our templates don't have people in every stage as you might not the Copy, Art, Dev, or Studio operator for the piece. (And you can't attach a template mid-flight with an empty stage). Besides, this could cause issues where someone was on Version 1 but forgotten on Version 2.

The Project Owner is just doing a quick glance to make sure all comments marked To Do are resolved and just a quick look over it. It isn't a full review. That is what Proofreading and Account are for. ;)

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded