topic Re: Workato Recipe Sharing Security in Workato Pros Discussion Board

Workato Recipe Sharing Security

gordonhuworkato — Sat, 17 Apr 2021 13:57:41 GMT

This is more for workato team. I know we can set up permission so that a recipe is not by default available in the community.

Each recipe by default comes with a sharing URL, which is useful for sharing and for support.

However the URL is open (if you have it), and the string after “st” is not very long. So...I am wondering if there could be some malicious users harvesting the recipes by trying random recipe numeric number and the token.

I know the chance of getting a hit may be low but ... you never know. Can’t underestimate the super computer’s power 😅

I am wondering if this is on workato’s radar? I can see a few options:

Box’s approach:
1. Set up policy to auto expire share links after x days

2. Allow token regeneration ad-hoc

3. Allow manually extending the sharing period

Okta’s approaxh: disable sharing altogether and when workato support needs to get in, grant just in time access globally, or only to the recipe.

Thoughts?

Re: Workato Recipe Sharing Security

deven-maru — Sun, 18 Apr 2021 11:08:39 GMT

Hi Gordon, thanks for the feedback. It makes sense to have some type of expiration or control the sharing. We have Okta like disabling of sharing to community in Account Settings > Recipe preferences > Allow recipes to be listed on community.

Similar global setting can be made available for recipe private sharing so admin can disable sharing if needed. Although it will apply globally to all recipes. Let me take this feedback and discuss it internally and see what we can do here.

Re: Workato Recipe Sharing Security

deven-maru — Sun, 18 Apr 2021 11:11:03 GMT

Can you tell me more how this concern around recipe sharing came about?

Re: Workato Recipe Sharing Security

gordonhuworkato — Sun, 18 Apr 2021 11:45:33 GMT

I know sometimes a recipe might contain sensitive info, such as username, user ID, PII, or worse....keys.

If I am an attacker, I will try a combo to see if I can get in a recipe and harvest useful info.

Re: Workato Recipe Sharing Security

gordonhuworkato — Sun, 18 Apr 2021 12:49:23 GMT

FYI I am referring to the “sharing” that is using the token. The type that workato support uses to have access to the recipe. I am not sure if that token is refreshed periodically. But I have a feeling not - because we have to put that URL in the case. If it expires, the support loses access.

Re: Workato Recipe Sharing Security

deven-maru — Mon, 19 Apr 2021 02:48:39 GMT

Thanks Gordon. Yes, it needs to balance the need for security as well as the ease of sharing with support or other stakeholders.