With Figma’s AI releases, all eyes are on how they are going to store and process our data. But have you considered that non-AI plugins and widgets might also be compromising sensitive information? Here’s how to secure your data:

What are Figma plugins and widgets?

Widgets and plugins in Figma are tools that extend the functionality of the design platform. Widgets offer interactive elements directly within your design files, while plugins provide additional features and automation to streamline your design workflow.

Any user in the Figma community is able to publish both widgets and plugins. Designers, developers, and teams can design and distribute these tools to improve platform functionality and collaboration. Openness allows for creative and practical solutions, but that means you must be mindful about tool security and privacy. Yes, the creator of the plugin or widget you use could potentially access all the data in your file.

What types of information can plugins and widgets access?

Information that plugins can access includes:

• The username, ID, and avatar of any users in the file
• Current cursor position of file participants
• Current viewport—the area of the canvas or board that is visible on screen
• All layers and objects that are in the file
• The ID of selected layers or objects

Wild, huh? 🤡

If someone with bad intentions adds a widget that can share and store data, that means they can access pretty much everything in your file without having actual viewer or editor access.

How can I check if a plugin or widget is risky?

Step 1: Go to the plugin or widget page in the community.

From the design file, you can click “View details”:

In the details modal, click “See more details in Community”.

You can also go to Figma’s Community page and search by the name of the plugin or widget.

In the right sidebar of the plugin or widget description, you should see some badges:

There are two important badges to notice: “Data security information available” and “Network access.”

If a plugin or widget has none of these, that means the creator didn’t provide information about how they store and use data. I wouldn’t advise using it if that’s the case.

Understanding security badges

Data security info:

That one is clickable! Click it to open a list of questions and disclosure principles for that plugin/widget:

Here’s a table from Figma to help you understand each question.

Ideally, the plugin/widget should not store any data and should not process information on a third-party service, since Figma’s Privacy Policy does not apply to any third-party websites, services, or applications, even if they are accessible through their Services.

If it does use a third-party service, consider replacing the plugin/widget or checking their own privacy policy to make sure everything is okay.

Network access:

Plugin developers can voluntarily specify the domains that their plugins will access:

• Unknown network access:
  • Description: The widget’s network permissions aren’t clearly defined.
  • Implication: It can access any website or domain without restrictions.
• Unrestricted network access:
  • Description: The widget can access any website or domain.
  • Implication: The developer has provided a reason for this level of access.
• Restricted network access:
  • Description: The widget can only access specific, pre-approved websites or domains.
  • Implication: It limits the widget’s internet activity to a safe list of sites.
• No network access:
  • Description: The widget cannot access any websites or domains.
  • Implication: This is the safest option, as the widget operates entirely offline. The developer might explain why this restriction is in place.

With all that in mind, always review your plugins and widgets to avoid any security breaches.

Other nice security tips for Figma

Designer, why should you care so much about security?

Even if our work does not involve real data from customers, industrial espionage is a real thing. When working on new features, we’re working with information that could set a company apart from its competitors, so it’s always good to secure the data of your work.

• Use strong passwords: That one is a “duh” one, but always good to keep in mind. Update your passwords regularly too.
• Don’t use Real data in your designs!!!: Unless you want someone in the company to know your phone number, always use fictitious information. Make sure the information is precise but not real: Use fake names, addresses, and data instead of lorem ipsum text. This way, you get a better sense of how the design will work in real life.
• Control access: Limit access to your design files to only those who really need it, avoiding “anyone with the link” settings, as someone might share it where they shouldn’t, and you’ll take the blame. Always review who has access and remove people who are no longer involved.
• Back up your data: Regularly back up your design files to prevent data loss due to accidental deletion or other issues. Also, check the privacy policy of the place where you’re storing your data!
• Educate your team: It’s not enough for just a few people to protect the information; it should be everyone’s responsibility. Sharing this post can be a great way to kickstart the conversation. 🙂

References:

• Security disclosure principles, Figma Help Center
• Use widgets in files, Figma Help Center
• Use widgets in files, Figma Help Center
• Privacy Policy, Figma Legal
• What is industrial espionage?, TechTarget