Appsheet Compromised by Unauthorized Email Account...

Rifad · 12-21-2023 07:25 AM

As a developer working on a sensitive and yet-to-be-completed app, I'm facing a critical issue with, Appsheet. The core of the problem? An unknown individual is accessing my app without authorization. I've taken all necessary precautions, including enabling 'Require user signin?' and disabling 'Allow all signed-in users'. Despite these measures, I'm dealing with an unwelcome intruder.

Now, let's address the bigger issue: your support team's response, or rather, the lack thereof. Three days ago, I contacted your support team, anticipating some level of competence. What I got instead was a masterclass in inefficiency. My urgent request was met with delays, sidestepping, and eventually, a boilerplate email that did nothing to resolve the issue. It's a simple task: check who's accessing my app and block them if they're not authorized. But your team seems more interested in prolonging this issue than solving it.

I'm not sure if you realize the gravity of this situation. When someone reports a critical issue, it demands immediate attention, not bureaucratic foot-dragging.

To the manager or director of Appsheet: your team's inefficiency has thrown both your platform and its advocates into a dismal state of affairs. It's a disservice to everyone relying on your platform for their projects. This isn't just frustrating; it's a glaring flaw in your system that needs immediate rectification.

Important: My previous support tickets have been left unresolved for days, weeks, and even months, with nothing more than generic, copy-pasted responses. At this point, I'm beyond seeking assistance from the support team or their specialists. To all fellow users: I strongly advise you to review your own apps for similar issues. It seems there's a systemic problem here that needs your attention.

AleksiAlkio

If you check from the Audit logs, are you able to see the same email address there?

Rifad

Someone has been merely viewing my app, with no interaction except for a single day. However, when I checked the audit logs, I couldn’t find any trace of this activity. Additionally, there are other email accounts that have been using the app. My main concern is figuring out how these users gained access. Unfortunately, the complete silence from the support team is not helping to resolve this issue.

AleksiAlkio

In general.. if the user is not present in the Audit logs, you can count on that as that shows exactly what has happened and by whom. Then it would mean there is something wrong with the user statistics.

Rifad

There was another user accessing it.

AleksiAlkio

At that moment (seen from the Audit logs), is it possible that your app's authentication was not fully activated with your app setups?

MultiTech

If someone is accessing the app, but not getting anywhere - as evidence by no audit logs from that person's email, then most likely what happened was someone simply tried to open the app, but were rejected by the system.

You'll see users like this in the user-logs, even though they didn't get through or do anything... the fact that that email tried to access the system is enough for the user-logs to add that into the mix.

Maybe something like this is happening?

AleksiAlkio

If that would be the case, you would see it from the Audit logs with access denied.

Rifad

@AleksiAlkio wrote:

Audit logs with access denied.

There is absolutely no information or trace about this user in the audit logs. @AleksiAlkio

After four days of waiting, the support team finally acknowledged the bug that @MultiTech had explained. It seems they are now attempting to address and fix this issue.

AleksiAlkio

So.. the problem was with the User Statistics?

Rifad

We would like to inform you that the unauthorized user did not gain access to the app. When an unauthorized user attempts to access an app we record an audit log record. This record will be visible in the audit history if it happened in the last 7 days. We have an existing bug where we sometimes do not exclude these logs from our usage statistics calculations. This is why you are seeing the user listed in your usage stats.

Additionally, we've submitted a fix and we should be correctly excluding the unauthorized usage records from our usage statistics. This will fix the issue going forward, but will not change existing usage statistics.

Here is the email copy. It appears to be a bug related to the statistics.

AleksiAlkio

As I thought, thanks!

Rifad

Yes you were right.. thanks @AleksiAlkio

Appsheet Compromised by Unauthorized Email Accounts: Lack of Effective Support Responses