Hi everyone,
I recently encountered a strange and concerning situation that I wanted to share and get your thoughts on. Without my knowledge or consent, I noticed that someone I don’t know was added as a viewer to one of my older projects 16 days ago. The email associated with this user ended with @seventeensierra.com
, but unfortunately, I didn’t copy the full email address at the time because I was focused on removing the user and deleting the project altogether.
What worries me the most is that this happened without any notification or email alert. I have no idea how this person was able to gain access or be added to my project. Has anyone else experienced something similar? I’m really concerned about the security of my account and projects right now.
If anyone has advice on how to prevent this from happening again or insights into how this could have occurred, I’d greatly appreciate it. Thanks in advance!
Apparently, the “share by link” option was enabled for that project. However, I don’t remember turning this on, as I work completely alone and there’s no one I need or want to share this project with.
This might explain how that unknown person was added as a viewer, but it still doesn’t clarify how or why the link sharing was enabled in the first place. Has anyone else experienced something similar? Could this happen accidentally, or is there a possibility of a security issue? I’d really appreciate any insights or advice on how to prevent this in the future.
And yes, I am one of those people who never goes outside and always works from home, so it’s highly unlikely that someone from outside could have accessed my account and added themselves.
Hello @jamespan, all projects created before March 2024 had the Share by Link feature enabled by default, which might explain the confusion about how it got activated. This was an intentional decision on our end to ease sharing, as users can already view your page in the browser. To clarify, this means it was enabled by default and not because someone logged into your account and enabled it.
For new projects created after March 2024, this feature is disabled by default.
Hi @sarah_ahmed,
Thank you for your explanation regarding the “Share by Link” feature. I understand now that it was enabled by default for projects created before March 2024, which clarifies how it might have been activated without my knowledge.
However, there’s another detail that concerns me. In one of my personal projects, I noticed a user listed next to my name with an email address ending in @seventeensierra.com
. This was not a project I shared with someone else or one of the Supabase projects I’ve added to my list. Here’s a screenshot for reference:
For comparison, here’s how my Supabase projects look:
Could you help me understand how this user was added to my personal project? It’s unclear to me how they gained access, especially since I didn’t intentionally share the project with anyone. Any insights would be greatly appreciated!
Can you DM me the project ID, so I can check some metadata to answer your question. Thank you
I don’t remember the ID of that project anymore because I was so shocked that I immediately deleted it. Fortunately, it was an old project that I wasn’t using anymore.
Hi,
I recently went on a search for a project I had seen once shared on the forum for a particular component that I thought was cool. I couldn’t remember which one it was, so I went through every project shared in Plasmic. So, it is likely you had previously shared the link publicly here on the forum, that was the only way I would have known about it and lines up with my activity.
During that time, I had sent Plasmic a list of the projects that I accessed with me in case others have similiar concerns so they can get in touch with folks and ask if they’re in a similiar situation as you or if their intention is to share the project publicly and aware that anyone on the forum, not just me is able to access it.
For Situational Awareness; this is the email I sent to Plasmic on December 28th, 2024.
Hello Plasmic Security Team,
I hope you’re doing well. I recently spent some time browsing the Forum and noticed that several projects were accessible via public share links. I have made personal copies of these projects in the spirit of “forking”. Based on some feedback I have received. it appears that some project owners may not realize their work is publicly visible. Below is a list of the projects I encountered, with the corresponding projects.
Project Name
Odyssey Components
Auckland Climate Festival Website
font weight issue
Marketing (Production)
Home
Spatial Dynamics
MidiX 1.0 Published UI
Share Public pages [Production]
Myojournal
equip.health
theheygang.com
eCommerce
Blank project
Ez Marketing Platform
Share Supa Stealth 30
Supa Stealth 30
Vita Virtues Website
Bobbles website
Copy of feed.presell.ai
Treegency2
Copy of LB v4
ecosapiens.xyz
Application
Abakus
Chang Ho Chien portfolio website
REMMS4ALL
REMMS Website - CH
Li Battery Co
MyEvals App
Light SaaS landing page
Website
booiq-website
Booiq.Design.System
talent.offtoglow.com NEW
SafeGraph Components
Lyric Keeper
Aatos Plasmic
Imagina_Plantillas
LG Landing Pages
Macro Landing Page
Hiree B2B Landing page
TOPC website
Crypto Caiman Club
Maquinas Jud
V2: Fathym Platform Marketing
Origin
CBAT
Chunlyn 2.1
Plasmic Tests
Project E
TrustPilot clone
HubHub
CyberCop - Design sprint #1
Qorus Banking awards 2023
Marketing (Production)
StellarShift
partsoil
SUPA! V1
Stampix.com
ckfathersdayv1
TW-Management
Fintale Landing Page
Peyce Mag
eCaves Website
IMBAS23@FPRE
Condition Guard Example
MSC Portal
form tester
Sarv
GraphQL Example
astriusdraft
Cloven
Turismo Swell
Cube3 2024
BagianPemerintahan
wayanadfinder-react
Button example
Website starter
nadi mama (mobile first)
1Hire: Website
Breadcrumb Ai Demo
CRM
Certainly Web
levitate-tutors-app
Koncern Servis
Based on these findings, I wanted to raise the possibility that some users might be unaware they have made their projects publicly accessible. Below are a few suggestions to help reduce the risk of accidental project exposure:
- Improve link sharing UI
- Clearly label projects that are publicly shared with a distinct icon or color.
- Provide a prominent warning banner or prompt that indicates when a project is set to “Public.”
- Right now the message is “Share by link is enabled” and based on other SaaS tools UI; it isn’t obvious that folks are able to share by a link AND that it is publicly accessible.
- Instead of “Share with link,” consider using a more explicit option like “Make project publicly viewable” or “Anyone can view.”
- Include a tooltip or description that clarifies the implications of choosing each share setting.
- Require project owners to click through a confirmation dialog that explains the consequences of making a project publicly accessible.
- Automatically send an email notification to the project owner when a project’s visibility settings are changed to Public.
- Consider creating a UI for Activity Log for a project like other collaborative SaaS projects do
- Add brief onboarding tips or help articles explaining the difference between private, shared-with-specific-people, and publicly shared projects.
- Consider an automated check or reminder if a project has been publicly accessible for more than a certain time period, prompting the owner to review or confirm the setting again. Or allowing the user to set an expiration for when a shared link is accessible.
- Improve App Host ability in UI
- Only show the app host URL to users who have actually been added to the project instead of people who have access to the project by a shared link.
- Improve information displayed for CMS credentials
- Right now, anyone with access to the Plasmic Project is able to view the credentials for the CMS that is connected to the project. Recommend at the very least that that UI is only available to folks that are added to the project. Even so, it should also possibly be behind an authentication boundary within the project itself so only designated people can see it; or at least password protected.
- Actively cultivate the community to share projects
-
One of the reasons it might be a surprise to others that their projects are shared publicly because there isn’t a community page where people can actively browse public projects. That would draw more awareness of the consequences of sharing publicly.
-
It might also be that people want to share the work they’ve done as a portfolio, but not actually want people to have access to the work of their project. Making it easier for people to share the results of their projects without actually sharing the projects could be a happy medium. I think the preview button for the templates could be better utilized for that.
-
In the past, I’ve suggested a feature in the projects list to separate out projects that are “shared by others” to make a distinction that there are shared projects vs projects that someone owns or is a part of their organization.
-
Similarly, there could be a tab of “Projects Shared by me” where any project that has that button ticked could be sectioned off to draw better awareness to it.
I believe these changes could help ensure that creators on the Plasmic platform are fully aware of their projects’ share settings and the potential implications of making them public. Please let me know if there’s any additional information I can provide or any specific steps you’d like me to take regarding these findings. If this was an action that was inappropriate for me to have taken,
I would appreciate if you let me know and I believe that by “removing project from dashboard” feature available to me, that allows me to leave the project if I’ve been added to it by accident instead of an intentional action by the owner. I’d prefer the opportunity to do that ahead of any advice that might come to a user rather than drawing everyone’s attention to me. Also, I’m more than willing to delete the repo where I have my saved copies of the projects if that is deemed beyond what is acceptable.
Thank you for your time and attention.
Best regards,
Alyssa
1 Like
Hi @alyssa_feola ,
Thank you so much for your response. This explains a lot. I now understand how you were able to access one of my projects. It’s true that I wasn’t aware the “Share by Link” feature was enabled, and on top of that, I didn’t receive any email notification to let me know someone had been added to my project. So, when I saw your icon, I was completely shocked.
However, I’m really glad there are users like you who want to create a better environment and community here.
Thank you so much.
James
1 Like