I have recently discovered a serious security flaw in Constant Contact.
If you include a Document Link in an email so that recipients can download a file, you should be aware that even if you delete the file from your Constant Contact library, it remains accessible to anyone who clicks that link in the email.
Which essentially means that Constant Contact does not actual delete the source file from its servers when you delete items in your library.
Thank you for bringing this to our attention. I apologize for any confusion on the document deletion process in the Library. When you delete a file (whether it be an image or document) it goes to the Trash folder. Even though it is in the trash, the file is still being hosted. When you go to the trash folder itself you will see an option to "Delete forever." This should break the link so that it is no longer accessible.
If you still find that the link is active it is possible that the file itself has become cached in your browser's data so it will come up when clicked on. As a test, I would try accessing the link from another browser just to see if it still appears. If it does, please email us at social_support(at)constantcontact(dot)com with your username, the document link you want broken, and a reference to this post and we can investigate further!
Thanks for bringing it to my attention that deleting a library file doesn't really delete the file, but merely moves it to the Trash. I understand that allows recovery of files accidentally deleted, but those files should not be accessible to the public any more.
I followed your instructions for permanently deleting the items in the Trash, but this did not make them inaccessible to the public.
I cleared my Safari cache and history, but the documents are still available. I also tried using Chrome and have the same result: the deleted files are NOT deleted and remain accessible to the world.
This is a serious breach of security.
Thank you for letting me know the files are still accessible even when they have been permanently deleted. I also saw that you sent me an email so I will do a more formal follow-up there but I wanted to let you know I am creating a case to our upper level support team to look into what might be going on.
Hello @AminJ5. It looks like we are already assisting you with your deleted file so we will continue our conversation through there.
Hello @EricaS39. We are aware of some cases where document links are still active even after the file has been permanently deleted. I see that you were able to chat with our Support team this morning and it looks like they were able to assist you with your file. Please let us know if there is anything else that we can help with!
Sorry to inform you, but this is not an isolated incident that is afflicting "some cases."
The problem persists to this day, despite my having alerted staff to the bug months ago.
Just this morning I deleted a file (moving it to the trash) from my library, then chose "Delete Forever."
Despite Constant Contact's claim that this would delete the file forever, making it inaccessible to anyone, I find that the file remains downloadable to anyone to who I had previously sent the document link.
As others have pointed out, this is a serious security flaw in the system and needs to be fixed ASAP.
Hello @OwenL4. It's possible that the document link might be cached in your browser and this is why you are able to view it after it has been deleted. Have you tried accessing the link using a different browser window? If you are able to still view the document after doing this, please email us at social_support(at)constantcontact(dot)com with your username, a reference to this post, the link you wish to have permanently deleted and the name of the file if possible. Thank you!