Security Concern. Help.
So I recently got an email from Ed Jennings, the CEO, alerting me about an incident where-in one the employee emails was used for a phishing scam. They went into detail about what they did to stop it and what I should do and so on. However... The email they provided to ask further security-related questions, security-awareness@quickbase.com, was deemed no longer valid by my outlook client. Now I'm worried if thisemail alert itself is fraudulent. And the fact that I do not see any alerts in my admin console for my realm makes me more suspicious. ------------------------------ James Dalton ------------------------------
Access Record data from an html page via API call
I have had a hard time getting accustomed to working with API calls from outside of Quick Base and since I have limited experience with XML. Finally after struggling quite a bit I have come up with a (seemingly) decent method for getting/accessing record data from an API call in an HTML page. I will post the code below and please provide any feedback for this method, I am still early using Quick base API calls. This method uses the option to return the record data as a 2-dimensional array that can be accessed with "qdb_data " where the "x" is the index selector. You can easily check the number of returned records by looking at "qdb_data.length" <head> <script lang="javascript" src="yourdomain/db/ yourtable?a=API_GenResultsTable&query={'field id'.operator.matchvalue}&jsa=1&apptoken=[yourtoken]"> </script> <script> function displayData(){ alert(qdb_data ); }</script> </head> Curious about the security of having the API info and app token within the client-side code. Obviously a QB code page is fairly secure compared to a remote code page but still curious about it. Thanks everyone.
Security Concern
Hi All, One of our client has raised the security concerns while accessing QuickBase Using API's. Following is the sequence of the calls made to access the QuickBase from the external system. First call for the authentication to get ticket: POST //db/main HTTP/1.1 Host: https://target_domain Content-Type: application/xml QUICKBASE-ACTION: API_Authenticate Cache-Control: no-cache Postman-Token: a66300eb-891b-2764-d7ad-f4a6e0b45452 <qdbapi> <username>USER NAME</username> <password>PASSWORD</password> <hours>24</hours> </qdbapi> O/P: Ticket After first call of authentication, when subsequent calls are made to the QuickBase without passing the Ticket , still we get the desired output and this pose the serious security concern, as anyone can do the random calls to the QuickBase and get Data till the ticket is valid. Second call without ticket: GET /db/bm272rhqa?a=API_DoQuery&query={'3'.EX.'42'}&clist=3 HTTP/1.1 Host: https://target_domain Cache-Control: no-cache Postman-Token: e71e843e-1a90-54f8-cfac-80a6bfe8d89b O/P : Desired XML Data As a immediate fix we have asked the client to use "API_SignOut" API to invalidate the ticket, but still if ticket has duration of , say of 4 hours and during that four hours is it possible to make sure that no API calls can be made to QuickBase without passing valid ticket in each API Calls. ThanksI'd like to propose addressing the current allowable password length (20 characters).
Our single sign on environment allows up to 48 characters and the current limit should support NIST guidelines (800-63B): Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length. [...] Users should be encouraged to make their passwords as lengthy as they want, within reason.Since the size of a hashed password is independent of its length, there is no reason not to permit the use of lengthy passwords (or pass phrases) if the user wishes.Extremely long passwords (perhaps megabytes in length) could conceivably require excessive processing time to hash, so it is reasonable to have some limit.
Why ""Password Reset Error""?
I have a user who has forgotten her email. She goes through the "forgot password" procedures, the system sends her an email, and when she clicks on the email, it takes her to a "Password Reset Error" page, with the message "The email link you clicked on to reset your password was expired. For reasons of security, this link expires 90 minutes after QuickBase sends them. You may try to reset your password by pressing the button below." She's tried clicking that button, and it sends a new email, and when she clicks that link, it takes her to the same "Password Reset Error" page. She's on Chrome. I've tried having her clear cookies and cache, but so far, no luck. Any ideas?
Monthly Subscription with a Report Link
Hello All, Is there a way to send a Monthly Subscription with a link to a report rather than including the report data in the body of the email or as a PDF or CSV attachment? Much of our report data includes personal information that we want to be sent via secure email. Providing a link would at least require a person potentially intercepting an email to be set up as a user or enter an accurate password to access the information. I realize a Notification could be set up; however we wouldn?t want an email every time a change occurs ? only weekly or monthly, and it would be helpful to give easy access to the report [via link] to view all associated records. Thanks in advance for your time and assistance!
