A third-party vendor that hosts our data is sending us links to an s3 amazon server to download reports of our data as a CSV. The endpoint does not check any permissions of the person trying to download the data- meaning anyone with the link can download the data. Furthermore, by changing parts of the name of the CSV, you can download different reports going back until the reports first started getting sent. After some testing of recieving different reports, I have worked out that the URL is formatted as something like this: https://s3-us-west-1.amazonaws.com/<third-party-prod>/<random string representing our company>/<random string grouping types of reports>/<report-name-DATE>.csv
Since no one should be able to guess the URL (I'm assuming it contains intentionally random strings?), the only people who should be able to see it are the people who have received the URL at some point.
Thinking about it more it seems like a big deal. If an employee saves the URL, they will have access to our inventory even after leaving the company. Furthermore, since whenever the employee accesses that report on a router, that router now has nearly full access to our data. This means every employees home router and public router now has access to our company data.
As per this post, it seems public facing links aren't bad if they are signed, but from my understanding this URL is not signed (since I can access data from 3 months ago by changing the file name). I feel like we should get a unique URL to download the file rather than have them all be formatted identically. That link should also expire after a certain amount of time.
I am curious if this is acceptable, a bad but normal practice, or if it's something I should escalate.
