Transcript Access without authentication - ie your transcriptions on the open web

RyanHRyanH Member Posts: 1
Beware: if you utilize Voice AI with integrations (ie Salesforce) or share any kind of transcription via Dialpad, the information is shared through an unsecured link and can be accessed by anyone with said link. You should interpret this to mean that your company's information, ie any PII, could be on the open internet and vulnerable to anyone who happens to get the obscuring hash correct. Dialpad security sent me this information when I raised alarm:

'Yes, we're aware of this, and it's a design choice that is consistent with our privacy obligations.

As you might have seen, the URL consists of a unique and very difficult to guess hash. This is not the only way to do it; it's possible to add on a layer of authorization prior to allowing access to web resources. This has the advantage of ensuring that even if someone gets a direct link to a resource, they can't access it without logging in. On the other hand, it reduces usability because these resources are harder to share.

In this case, one way voicemails are delivered to Dialpad users is as links in emails. With this configuration, forwarding a voicemail is as easy as forwarding an email, because all of the information needed to access the voicemail is included in the email.

You cannot, however, access https://dialpad.com/blob/voicemail/ and find all the files sitting there. Nor can someone, as a practical matter, guess one of the identifiers, because that would be akin to guessing a 161 character password. Possible, but in no way feasible, and considered well within the bounds of safe practices.

The content is viewable, but only if you already know the exact URL. The length of the identifier makes it adequately secure against brute forcing attacks, and it is not indexed on Google or other search engines.

Again, to be clear: This is a design choice, and represents an acceptable balance between usability and security. Different companies opt for different solutions and different resources merit different types of protections; this one works for us and for our users. '

I don't think I'm alone in voicing a deep level of concern about this open access. Many companies large and small utilize this software and would be extremely uncomfortable with the knowledge that anything said in any transcripted conversation is available to the open internet. Please join me in caling for Dialpad to add authentication for accessing these shared transcripts.
Tagged:
Sign In or Register to comment.