Intigriti - Hack Hub
  • Misconfig Mapper Docs
    • Introduction
    • Supported Services
    • CLI Tool
    • Contributing
  • Services
    • GraphQL
      • GraphQL Introspection Query Enabled
    • Symfony PHP
      • Symfony Profiler Enabled
    • Postman API Platform
      • Public Workspaces
    • Salesforce
      • Salesforce Lightning Aura Components Enabled
    • Trello
      • View Permissions on Trello Boards
    • Figma
      • View access misconfiguration
    • Freshworks Freshservice
      • Open User Registration
    • Slack
      • No Admin Approval for Invitations
    • Atlassian Bitbucket
      • Publicly Accessible Private Repositories
    • Atlassian Confluence
      • Anonymous access to Remote API
      • Disabled XSRF Protection
      • User Email Visibility
      • Misconfigured Spaces
    • Atlassian Jira
      • Open User Registration
      • Atlassian Jira Email Visibility
      • Atlassian Jira Service Desk Open Signups
    • AWS S3
      • Misconfigured List Permissions
    • Cloudflare R2
      • R2.DEV Enabled
    • Google Groups
      • Misconfigured read permissions
    • Google Docs
      • Misconfigured read permissions
    • Google Cloud Storage Bucket
      • Misconfigured access controls
    • Google OAuth
      • Unrestricted email domains
    • Jenkins
      • Open Signups
      • Public Groovy Script Console
    • GitLab
      • Gitlab Private Source Code Snippets Exposed
    • Drupal
      • Drupal Nodes with Misconfigured Access Controls
    • Laravel
      • Debug Mode Enabled
      • Laravel Telescope Enabled In Production
Powered by GitBook
On this page

Was this helpful?

Edit on GitHub
  1. Services
  2. Figma

View access misconfiguration

PreviousFigmaNextFreshworks Freshservice

Last updated 1 year ago

Was this helpful?

Description:

Figma is a collaborative platform for interface designs. Figma Drafts get assigned public view access by default for anyone who has access to the link. This can be seen as a potential issue on the financial side of your business. As perhaps early-stage promotional content is not meant to be public yet. Moreover, it is also best-practice to only allow view access to authorized team members.

Testing:

Simply visit the Figma Design file link and observe the response, an example of a link looks like the following:

https://www.figma.com/file/{DesignID}/{DesignFileName}

Remediation:

You can easily disable view access for every unauthorized user, to do so:

  1. Sign in to your Figma account

  2. Right-click the design file

  3. Click on Share in the select menu

  4. Select Only people invited to this file instead of Anyone with the link

  5. Each user that attempts to view your design will now be required to sign in first instead

Potential Impact:

Unauthorized users are able to view the contents of early-stage design files in case your company makes use of Figma.

References:

https://help.figma.com/hc/en-us/articles/1500007609322-Guide-to-sharing-and-permissions