Tickets & Conversations

aitortomas
Contributor

Support form attachments (files) are public

SOLVE

We are using a Support Form to give the option to our customers to open a new Ticket. Our Support Form contains a File Upload from Ticket properties. Every time a customer creates a Ticket with the Form and adds an attachment, the file is added to File Manager and therefore it is public.

We thought that was an unexpected behaviour and added a new issue with Hubspot Support. First they said:

"The file upload field (for ticket property) will create an attachment and it is NOT PUBLICLY accessible."

But then, when we probed that was not how it was working, they said:

"They were able to confirm that this is working as designed so when file is uploaded through the Support form into File Manager, file is expected to be publicly visible and there is no need for HubSpot log in to see the file.".

 

Considering this, we were wondering how people were working with Support Forms. Do you allow file uploads? Do you allow your customer's to upload files which will be publicly available?

 

The thing is that, unless you are uploading via the Support Form pictures of cats, you are likely:

- Exposing your customer's data publicly (indexed and crawled by search engines).

- Clashing with Hubspot's Term of Service (https://legal.hubspot.com/terms-of-service) by adding sensitive data to Hubspot (screenshots, log files, etc.).

 

So, how do you use file uploads to allow customers to open a ticket without falling in the ones above?

1 Accepted solution
cclaffey
Solution
HubSpot Product Team
HubSpot Product Team

Support form attachments (files) are public

SOLVE

Hi @aitortomas,

Thanks for pointing this out. This is an issue that we've been aware of and have been actively working on fixing for the past while. The fix should be published soon.

For a little more detail: Previously, files from form submissions were uploaded to the file manager, and were accessible at a ‘normal’ File URL, something like:

‘subdomain.domain.com/hubfs/form-uploads/<form-guid>/<submission-guid>-<object-property>_file-name.extension'

while it’s possible that these files could have been found and indexed by a crawler randomly, it was unlikely without being on live content (pages).

We’re changing this so that the files will only be accessible via temporary, signed URLs - only accessible to authenticated HubSpot users (from the file manager or CRM object associated to form submission). This will ensure the files are not crawled/indexed.

View solution in original post

12 Replies 12
ASaini0
Member

Support form attachments (files) are public

SOLVE

Is it possible to upload a file without a form ? In other words to just use the FILE UPLOAD feature - Im ont able to manually attach a file in the Tickets module at this point. 

0 Upvotes
ReduceMyIns
Participant

Support form attachments (files) are public

SOLVE
2 years still not a single response or fix. Has anyone designed a way to send files that are attachments to external non hubspot users? I'm thinking of building my own Google drive integration to accomplish this. Has anyone done this yet, or know of an existing solution.
Josh
Recognized Expert | Platinum Partner
Recognized Expert | Platinum Partner

Support form attachments (files) are public

SOLVE

Hi @aitortomas,

 

I definitely get your concerns and I'm not sure that this changes anything, but just a couple points of clarification.

 

  • The uploaded documents are available from a link from anyone that has the link, but they aren't living in a publicly accessible folder.
  • Unless your documents are linked from a page that is accessible by Googlebot or other search engines, these documents won't be crawled and indexed in search.

I still agree, more security on documents is ideal and worth adding to the HubSpot Ideas forum. I searched a bit but didn't find anything that already exists there on the topic.

 

Josh




Did this post help solve your problem? If so, please mark it as a solution.

Josh Curcio

HubSpot support and inbound marketing for OEMs, contract manufacturers, and industrial suppliers.
HubSpot Platinum Partner & HubSpot Certified Trainer

0 Upvotes
aitortomas
Contributor

Support form attachments (files) are public

SOLVE

Hi @Josh ,

 

Thanks for you reply.

Honestly, IMHO, this is not only about providing a "bit" more security, this is actually about providing security. Adding a file to the File Manager, instantly adds it to a public CDN. Adding a file which contains any sort of personal data to a public CDN instantly is against (at least in Europe) GDPR.

Now I am sure I will be told that Hubspot Terms of Service do not allow to add sensitive data to Hubspot. Fine, can please then someone explain me what is the purpose of the File Upload in general? Which kind of data should be allowed then to be added? And this is more generic. Even without using the file upload, every time you upload, for example, customer logs or screenshots you are clashing with Hubspot's Terms of Service. How can it be that normal usage of the system collides with the Terms of Service?

The answer is simple, Service Hub is basically in such a premature state that it is basically useless. And this is not about adding an idea. Anyone (at least in Europe) using Support Forms is potentially breaking a data protection law. At least Hubspot should warn about it.

 

I am maybe being a bit sensitive with the topic, but honestly I am now a bit concern in general about our data and its security, or maybe just hubspot is not the tool for security obssesed companies like mine.

 

Best regards,

 

Aitor

aitortomas
Contributor

Support form attachments (files) are public

SOLVE

And just for additional information regarding File Manager and indexed and crawled files, Hubspot support has told me:

"As explained in my previous email, any file uploaded to the File manager (in this case uploaded using the file property in the form) will be publicly accessible, indexed and crawled. This file is also visible on the ticket record in the form of the attachment on the right hand side and in the form of the Note on the ticket record."

 

And when asking about https://knowledge.hubspot.com/articles/kcs_article/forms/can-i-add-a-file-upload-field-to-my-forms where it says files uploaded via form upload should be hidden in File Manager, the answer was:

"Knowledge Base article you are referring to means that files in File Managed coming from upload are not accessible via the frontend of the File Manager (so you as user can't see them in File Manager in User Interface but they are still crawled and indexed). "

 

I am just highlighting what Hubspot Support told me. For me it would make sense what you say, only Files added to public websites should be crawled and indexed, but as they belong to a public CDN... and Hubspot Support has not told me the same as you... I am still concerned.

0 Upvotes
cclaffey
Solution
HubSpot Product Team
HubSpot Product Team

Support form attachments (files) are public

SOLVE

Hi @aitortomas,

Thanks for pointing this out. This is an issue that we've been aware of and have been actively working on fixing for the past while. The fix should be published soon.

For a little more detail: Previously, files from form submissions were uploaded to the file manager, and were accessible at a ‘normal’ File URL, something like:

‘subdomain.domain.com/hubfs/form-uploads/<form-guid>/<submission-guid>-<object-property>_file-name.extension'

while it’s possible that these files could have been found and indexed by a crawler randomly, it was unlikely without being on live content (pages).

We’re changing this so that the files will only be accessible via temporary, signed URLs - only accessible to authenticated HubSpot users (from the file manager or CRM object associated to form submission). This will ensure the files are not crawled/indexed.

BSlicker
Participant

Support form attachments (files) are public

SOLVE

@cclaffey Can you confirm whether this has been updated or not with any supporting documentation?

0 Upvotes
jnet
HubSpot Employee
HubSpot Employee

Support form attachments (files) are public

SOLVE

It looks like this has been updated, since the file upload type property files in the file manager can only be downloaded or previewed, and when clicked to view in a new window, it leads to a 404 page (which I'm guessing is WAD?)

0 Upvotes
ChristianL
Participant

Support form attachments (files) are public

SOLVE

Hi @cclaffey,

 

Any news on this ? Has a solution been implemented ?

 

Thx,

 

Chris

 

 

0 Upvotes
aitortomas
Contributor

Support form attachments (files) are public

SOLVE

Thanks a lot @cclaffey , that is by far the best explanation I have got about the topic and it makes complete sense. When I spoke with Support, I got so many different answers that in the end, it felt a bit frustrating (even documentation was stating something different to the real behavior). Now at least it is clear to me that the current state is not the ideal state, that you are aware of it and that you will enhance it, which makes me feel better.

0 Upvotes
ReduceMyIns
Participant

Support form attachments (files) are public

SOLVE
Now there is a new problem. There is no way to share, forward, or otherwise share any existing file attachments with vendors or non hubspot users!
laurasligh
Participant

Support form attachments (files) are public

SOLVE

We are also running into this problem now. We have Hubspot forms that post to an external system, and there is currently no way to post the attachments as well as the form data. We have to have someone manually download then re-upload the attachments to the external system. This is a pretty cumbersome process. Is there any solution?