Dangerous sharing bug under "Embed map in your website"

Hi folks,
this is scary! :exploding_head:
I just tried the (new?) sharing function “Embed map in your website” which can be found at the bottom of each map’s sharing tab.
I wanted to share a 2D-Map sample on my website for demonstration purposes. When I pasted the generated html embedding code into my website and checked it online, I was very surprised that not only the “2D Map” was available for my website visitors but also all other map/model types (“3D Model”, “Plant Health” and “Elevation Map”): DroneDeploy’s whole function menu was operative!
BUT THE BIGGEST SURPRISE: I was also able to use the BACK ARROWS for DATA and FOLDER up to the DASHBOARD level and was able to look at (and I think even to delete) all of my projects from a browser which was not locked into my DroneDeploy account!

I immediately removed the embedded sharing from my site :sweat:


1 Like

That is scary! Thanks for sharing.

@vr-pilot Did you try the embedded map from a browser in which you are sure you were not logged into Drone Deploy? If you were logged into DD, or previously had been in the same browser, that doesn’t mean that a visitor that was not logged into your account would gain the same access that you experienced. Just a WAG (wild arse guess) on my part.

Hi Dave,
you are right regarding your “guess”. It must have been weeks ago that I used Firefox on my laptop to log into my DD account. So the “phenomenon” is not a general or absolute safety issue.
BUT: this means that on every PC I used in the past, on which I finally did not use the DD “Sign Out” procedure before closing the browser, my DD account will be “open doored” as long as no one clears the brower’s cache files (stored data)…
“Normal map links” sent by e-mail and “embedded website links” published on websites both will open full account access if there is a former log in remaining or stored in the recipients browser.
I just changed the PW for my DD account inside Chrome but Firefox did not take notice of the change and still gave full access to the account using the old log in information.
That is a safety issue because even changing the PW does not end “former” browser access!
(I just checked it twice and Firefox really gets full account access based on the old data, although the PW is different…)
In addition to solving this problematic issue it would be better to only grant access to selected map types you actually want the recipient (e-mail link or website embedding) to look at or use.
I was surprised by the fact that “website embedding” behaves different than the “export tool”. I actually only wanted to embed a 2D map on my website, but “on the other end” the whole portfolio was granted.
It is nice to have it this “all you can do with DD”-way, but the control over what can be seen or done on the other end should be in the hand of the link poster and content owner or producer.

Thanks in advance for clearing this up!

Hi @vr-pilot,

Thanks for swinging by the DroneDeploy Forum. I would like to clarify that the embedded link is intended to show all 4 layers of the map and not one single layer like our export toolbox does.

As for the safety concerns in regards the dashboard access, the confusion here seems to be associated with the login credentials that you have on your browser when you embedded the link. If an unlogged in user or a logged in user who doesn’t have access to this data views the embedded link they will not be able to navigate backward to other data. In other words, only signed in users who have access to the data will be able to navigate back to the dashboard view. Hope this helps to clarify your question in regards the way our embedded functionality works.

Happy mapping!