Is Lucidchart Safe When Shared to Confluence?

Is Lucidchart Safe?

‍

After realizing any user with access to a Confluence page can view the LucidCharts embedded in the page (even if the document was not explicitly shared with them), we sent a report to Lucid. Super professional, Lucid responded immediately and it turns out the behavior we observed is intentional! This raises the question, is Lucidchart safe when sharing sensitive information? We thought you might be interested, especially in the context of SaaS security.

Are Lucidchart Diagrams Safe When Shared to Confluence?

‍

At Reco, we LOVE using various technologies to collaborate. Knowing that with great love comes great responsibility, as we take great care to protect the privacy of our customer's data and intellectual property, we pay the same amount of attention to the privacy of our own data. In other words, we have come to expect reporting potentially dangerous behaviors in collaborative tools and have learnt that it is always better to err on the side of caution and double-check everything. This mindset led us to question, is Lucidchart safe when integrating it into our daily operations? The account of one such case is provided below.

‍

We have been using LucidChart quite a lot recently, mainly to plot some architectural design ideas for our platform. To leverage the debate surrounding those, we used the LucidChart Diagram Connector widgets to integrate several charts in Confluence pages, appreciating the user interface that facilitated easy integration with our documentation. As expected, there were comments on the diagram's components as well as on the textual design docs in Confluence.

‍

One night, however, a thought came to mind – the kind of thought working at Reco for a year invokes: LucidCharts are secure on their own, but what if those diagrams, which include sensitive data, were made accessible to anybody with access to those Confluence pages? What if one of our clients uses it similarly to us, and could be exposed to such risks? This concern about lucidchart confluence integration and its implications for data privacy led us to conduct a little experiment.

‍

Communicating the Vulnerability Report to Lucid

‍

We sent the report to Lucid following all the standard vulnerability disclosure procedures. Our documentation, supported by customizable templates from Confluence, made it easier to format our findings and concerns in a structured manner.

‍

Here's the verbatim Vulnerability Report, as we handed it to Lucid:

‍

‍

Lucid Response to Our Vulnerability Report

‍

Seth Manesse and Nathan Cooper from Lucid were incredibly responsive and professional. They responded in less than a day – Kudos! To our surprise, the behaviour we observed is intentional!

In fact, Lucid don’t view themselves as responsible for an organization’s collaboration security:

‍

“The reason this is built this way is that the act of embedding a diagram into a Confluence page implies the user would like the diagram to be part of the Confluence page.”

‍

Lucid continued to double down on their excellent response and even shared that they want to point out – in the UI – that a document has been shared:

‍

“We do think it would be helpful to indicate in the share dialog on the document that the document has been embedded in an external system. We are currently exploring designs for a mechanism to do this, with no current estimated date of delivery.”

‍

From their perspective, as the correspondence suggests, this behavior is 100% valid; however, we believe that if you’re a CISO (chief information security officer) – you want security at the source and all the collaborations in between (in case someone accesses the page without business justification, because they are a part of the space or were accidently added to an active directory group).

‍

Conclusion

‍

As the data moves about between SaaS applications it changes business context and access lists. Using Lucid, you may, for instance, share directly through Lucid, share links via Slack or email, and embed charts inside Confluence pages. Altogether, this was a textbook case of the is-ought problem: data assets ARE secured within each SaaS application, but they OUGHT to be secured when we collaborate with them; since without collaboration, SaaS applications are useless.

‍

‍