Is my Roam Research graph exposed?

Evergreen 🌳 - Published October 5, 2022

Roam Research has a feature called "Page Permissions" that if enabled will publicly expose your graph to hackers.

This experimental feature allows you to granularly share certain pages of your graph with the outside world. However, the way that the Roam team accomplishes this has major security flaws that makes your graph not secure and allows it to be downloaded by hackers, or anyone who is tech savvy.

If you want to check your graph's privacy, you can see if it's exposed by using the following tool.

Test my graph's privacy

Please type your Roam DB name in the search box above and press "test"

How do I disable the feature?

First, open the "Share" menu in the top right hand corner of Roam.

The opened menu in the top right corner of Roam showing the share option

Next disable the toggle next to the text "Page Permissions".

The opened share menu showing the page permissions toggle

Voila! Your graph is now private.

I want to keep page sharing enabled, what should I do?

Enabling the sharing feature at all is very dangerous. Anyone who wants to "hack" your graph needs to know it's name. By sharing your graph, you expose the database name in the URL.

If you really feel like you want to share your Roam graph, only share it with people you trust, and make sure your Roam database name is impossible to guess.

Bennett is a Software Engineer working at CipherStash. He spends most of his day playing with TypeScript and his nights programming in Rust. You can follow him on Github or Twitter.