When you attach a file to a ticket, a URL like “https://support.foqal.io/api/attachments/*****” is generated. Anyone who knows this link can access it.

This means that if the URL is leaked for any reason, it is possible to bypass authentication for Slack or Foqal and access the attached files.

A mechanism is required to prevent the generation of URLs that allow unauthenticated access to attachments.

・Files uploaded via Slack must use the file's URL directly.

・When synchronizing attachments between different interfaces, appropriate access rights must be managed, even if this requires copying the file.

・Access to attachments requires some form of authentication.