Sign in to submit new ideas and vote
Get Started

Major Security Risk: Please require users "Accept" invitation to shared Workspaces + Group Removal

NeilKY
NeilKY ✭✭✭
edited 01/07/25 in Smartsheet Product Feedback & Ideas

Please upvote this recommendation if you agree with the urgency of a fix for this.

Imagine the following scenario. in 5 minutes an anonymous Scammer creates a free Smartsheet trial account with a fake email address, and:

  1. They create a Workspace entitled "_Please Confirm Account and Remove this Workspace"
  2. They create a Dashboard in that workspace with a Dashboard containing a link labeled "Click to confirm your account and remove this workspace". The link is an external link to any destination, such as:
    1. A virus
    2. Malware
    3. fake corporate site
    4. phishing site
  3. Scammer creates a group called "All Users" containing a list of email addresses scraped from the community forums or user accounts or your corporation's email address list.
  4. Scammer SHARES the workspace with the "All Users" group, with view only permissions.

The Dangerous part, what happens next?

  1. The Scammer's workspace automatically appears in everyone's workspaces in that group because the end user doesn't have to accept the share.
  2. The workspace is actually AT THE TOP of all the user's workspaces because the name starts with an underscore "_"
  3. The user assumes this must not be a scam, because how could it just appear there? It must be from Smartsheet or Corporate.
  4. The user clicks on the link and gets infected
  5. The user CANNOT REMOVE THE WORKSPACE or the dashboard so if they haven't clicked the link, they will now in hopes that it removes the workspace.

I'm amazed this hasn't already happened on a mass scale. If or when it does, it could be very troublesome for everyone including Smartsheet corporate. As it stands, it's just really annoying when someone shares a workspace to a group that you're a part of and that you didn't agree to because you cannot remove it.

Solutions / Features I am Requesting:

  1. Allow all users to remove themselves from groups easily
  2. Require that workspace invites be "Accepted" before adding them to their workspace list, even if they're part of a group.
  3. Create these (or similar) "Admin Settings" for workspace sharing:
    1. Hide workspaces from all users with specific names, that use specific words in the name, or are shared by specific users.
    2. Allow users to have a workspace shared with them, only from a specified list of domains only. (whitelist domains or email addresses)
    3. Do not allow users to be added to a shared workspaces by group.
    4. Toggle whether users must approve being added to a group that is outside their organization. (whitelist for this too?)
    5. Report specific email accounts to Smartsheet support as spam/scams.
  4. Allow users to flag a workspace / report it as suspicious to the admin which automatically shares it with the admin and notifies them.

Am I wrong that this could happen? This is the kind of feature that could cause companies to leave due to security breaches.

If anyone has other ideas please share.

Tags:
Share on FacebookShare on Twitter
1
Up
1 votes

Idea Submitted · Last Updated

Categories