💦🪣 Data leaks in Asana and their fixes

Asana is an awesome collaboration tool. But you are always one click away from inviting the wrong user to the wrong project! Here is a list of all the possible data leaks and their fixes.


:sweat_drops: A guest inviting another guest

Any guest can give another guest the same permission they have. So they can invite someone else on any team, project, or task they already see.

:bucket: The solution is to invite guests only to what they need to have access to, and have an admin watch for new guests being invited. With an Enterprise account, you can control who can invite guests (Admins, admins & members, anyone).


:sweat_drops: Let go employees

When you let go an employee, you usually get back their phone, laptop, disable their badge and their email. If you forgot their Asana account, they still have access to company data!

:bucket: Deprovision their account as soon as you disable the rest of their credentials or use SAML with Enterprise account.


:sweat_drops: Consultant staying as collaborators

I have experienced this one first hand: I get hired to design a template, I forgot to remove myself as a collaborator, and then I start getting notified about other people using the template. That « template backdoor » gives me access to any project based on the template!

:bucket: When a consultant is done, deprovision their account. In addition, remove from the template tasks collaborators anyone involved in the building phase.


:sweat_drops: Bot & service accounts

Some organizations have created a special bot account that has access to everything. That makes things easier to build dashboards or reporting. But if that account leaks, you give access to the entire org! The same thing goes for Personal Access Token generated, or Service Accounts.

:bucket: You need to have a strong password for that bot account, and limited employees with access to it. Also, if you can, apply a comment-only permission for that account on each project.


:sweat_drops: Untrustworthy 3rd party applications

I know this for a fact: any app that goes through an Asana login phase has access to your entire account. They get the same permissions as you, they can read everything you can see, and update everything you have write permissions on.

:bucket: Deauthorize an app after use, and only use apps that are trustworthy: the Forum is a good source to see ratings and testimonials or ask for one.


:sweat_drops: Wrong team members or privacy settings

When you invite the wrong person on a team, they get access to all the public projects of that team. If a team is public by design, they can just walk in without any permission!

:bucket: Make sure the public Teams are truly public, and review Team members on a regular basis.


:sweat_drops: Read-only links shared

The latest read-only feature allows you to generate a link to share a read-only version of a project. Once created, that link could be shared to anyone!

:bucket: Make sure to not store any critical information inside task names, and also disable a link when not needed anymore.


Any other leaks I forgot? Thanks @Steve_Fleckenstein and @Julien_RENAUD for your help!

:fr: Version Française

10 Likes

@Bastien_Siebman thanks for this helpful list! I’d add one more: inadvertently inviting guests to a Team, which gives them access to public projects in the Team. It’s important to educate Members about this and other permission topics… the Asana guide articles are helpful and providing custom guidance is better still.

– Steve

1 Like

@Bastien_Siebman
Create a public team when it should be private or membership on request.
Solution : check of the team list by the admin

To complete your point 2 : SAML can help to delete accounts when you are in company

2 Likes

Thanks I have included your feedbacks! :heart:

1 Like

Review service accounts? Not sure if this is covered by your 3rd party app section, but service accounts get full access to Asana and could be a way in. I’m assuming if you deprovision an Admin or remove their Admin status, that any service accounts they created would remain, but I haven’t tested this.

Would the admin control for Guest Invites work to block guests from inviting other guests? We have three options ‘anyone can invite guests’, ‘admins and members can invite guests’, and ‘only admins can invite guests’.

Good points @Anthony_Tamalonis I’ll check.

I have added Service accounts to the bots section. Also checked, with an Enterprise account, you can control who can invite guests (Admins, admins & members, anyone).

1 Like

I have added a new leak “Read-only links shared”!

3 Likes