Demo Request
Take a personalized product tour with a member of our team to see how we can help make your existing security teams and tools more effective within minutes.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Home
Blog
Is Lucidchart Safe When Shared to Confluence?

Is Lucidchart Safe When Shared to Confluence?

Gal Nakash
May 10, 2023
5 min read

Is Lucidchart Safe?

After realizing any user with access to a Confluence page can view the LucidCharts embedded in the page (even if the document was not explicitly shared with them), we sent a report to Lucid. Super professional, Lucid responded immediately and it turns out the behavior we observed is intentional! This raises the question, is Lucidchart safe when sharing sensitive information? We thought you might be interested, especially in the context of SaaS security.

Is Lucidchart safe?

Are Lucidchart Diagrams Safe When Shared to Confluence?

At Reco, we LOVE using various technologies to collaborate. Knowing that with great love comes great responsibility, as we take great care to protect the privacy of our customer's data and intellectual property, we pay the same amount of attention to the privacy of our own data. In other words, we have come to expect reporting potentially dangerous behaviors in collaborative tools and have learnt that it is always better to err on the side of caution and double-check everything. This mindset led us to question, is Lucidchart safe when integrating it into our daily operations? The account of one such case is provided below.

We have been using LucidChart quite a lot recently, mainly to plot some architectural design ideas for our platform. To leverage the debate surrounding those, we used the LucidChart Diagram Connector widgets to integrate several charts in Confluence pages, appreciating the user interface that facilitated easy integration with our documentation. As expected, there were comments on the diagram's components as well as on the textual design docs in Confluence.

One night, however, a thought came to mind – the kind of thought working at Reco for a year invokes: LucidCharts are secure on their own, but what if those diagrams, which include sensitive data, were made accessible to anybody with access to those Confluence pages? What if one of our clients uses it similarly to us, and could be exposed to such risks? This concern about lucidchart confluence integration and its implications for data privacy led us to conduct a little experiment.

Communicating the Vulnerability Report to Lucid

We sent the report to Lucid following all the standard vulnerability disclosure procedures. Our documentation, supported by customizable templates from Confluence, made it easier to format our findings and concerns in a structured manner.

Here's the verbatim Vulnerability Report, as we handed it to Lucid:

Field Information
Product Name Lucidchart Diagram Connector
Marketplace Listing Lucidchart Diagrams Connector | Atlassian Marketplace
Vendor Lucid Software
App Key com.lucidchart.confluence.plugins.lucid-confluence
Version 2.0.22-AC
Date the Vulnerability Was Observed July 24th, 2022
Description of the Vulnerability A Lucidchart document (diagram) with private visibility scope is visible to any user with access to a Confluence page that has a Lucidchart Diagram Connector widget showing the diagram.
Instructions to Duplicate the Vulnerability 1. Log in to Lucidchart using your organizational account.
2. Create a new Lucidchart Blank Document (For validation: add some unique content to the canvas)
3. Make sure that a tooltip with the text “this document is currently private” shows by hovering over the “Share” button at the top-right corner of the Lucidchart window. Do not modify any permissions to the document.
4. Log in to Atlassian Confluence using your organizational account.
5. Create a new Page.
6. On the page, add a new Lucidchart Diagrams Connector widget. Configure it to show the newly created Lucidchart document.
7. Publish the page (optional: set access restrictions to the page).
8. Any user with access to the page can view the Lucidchart document via the widget, even if they were not explicitly shared with the document.

Lucid Response to Our Vulnerability Report

Seth Manesse and Nathan Cooper from Lucid were incredibly responsive and professional. They responded in less than a day – Kudos! To our surprise, the behaviour we observed is intentional!

In fact, Lucid don’t view themselves as responsible for an organization’s collaboration security:

“The reason this is built this way is that the act of embedding a diagram into a Confluence page implies the user would like the diagram to be part of the Confluence page.”

Lucid continued to double down on their excellent response and even shared that they want to point out – in the UI – that a document has been shared:

“We do think it would be helpful to indicate in the share dialog on the document that the document has been embedded in an external system. We are currently exploring designs for a mechanism to do this, with no current estimated date of delivery.”

From their perspective, as the correspondence suggests, this behavior is 100% valid; however, we believe that if you’re a CISO (chief information security officer) – you want security at the source and all the collaborations in between (in case someone accesses the page without business justification, because they are a part of the space or were accidently added to an active directory group).

Conclusion

As the data moves about between SaaS applications it changes business context and access lists. Using Lucid, you may, for instance, share directly through Lucid, share links via Slack or email, and embed charts inside Confluence pages. Altogether, this was a textbook case of the is-ought problem: data assets ARE secured within each SaaS application, but they OUGHT to be secured when we collaborate with them; since without collaboration, SaaS applications are useless.

ABOUT THE AUTHOR

Gal Nakash

Gal is the Cofounder & CPO of Reco. Gal is a former Lieutenant Colonel in the Israeli Prime Minister's Office. He is a tech enthusiast, with a background of Security Researcher and Hacker. Gal has led teams in multiple cybersecurity areas with an expertise in the human element.

Technical Review by:
Gal Nakash
Technical Review by:
Gal Nakash

Gal is the Cofounder & CPO of Reco. Gal is a former Lieutenant Colonel in the Israeli Prime Minister's Office. He is a tech enthusiast, with a background of Security Researcher and Hacker. Gal has led teams in multiple cybersecurity areas with an expertise in the human element.

Request a demo
Table of Contents
Overview
Get the Latest SaaS Security Insights
Subscribe to receive weekly updates, the latest attacks, and new trends in SaaS Security
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Explore Related Posts

SaaS Security
5 min

UiPath Leverages Reco for Data Exposure Management and Automation

Andrea Bailiff-Gush
April 25, 2024
Global software automation leader UiPath simplified SaaS data exposure and access management by sending alerts to Microsoft Sentinel of publicly exposed data located in shared Drives with the help of Reco.
SaaS Security
5 mins

How to Prepare Your Business for Microsoft Copilot

Dr. Tal Shapira
April 22, 2024
Learn how to prepare your business for Microsoft Copilot. Discover Copilot’s functionalities and capabilities but also its potential risks and challenges. Learn about the advantages of using Microsoft Copilot for your business and follow the best practices for secure deployment.
SSPM
5 mins

Navigating the New Frontier of AI Governance: Insights from Digital World Conference Summit

Dr. Tal Shapira
April 18, 2024
Organizations are looking to generative AI (GenAI) governance as the technology's risks and opportunities continue to emerge. Learn from the world's leading AI experts about security industry priorities around AI safety and governance in our recap of the Digital World Conference Summit.
See more articles from our blog