Online surveys and form building software as a service Typeform has patched an information hijacking vulnerability.
The flaw which existed in Typeform's Zendesk Sell app integration could let attackers quietly redirect form submissions with potentially sensitive data to themselves.
Typeform form IDs indexed by search engines
Online survey and form creation tool Typeform lets users create webpages for easy data collection from users.
Every such form created on the platform has a unique "form ID," such as hHXhmf, which in the case of publicly accessible surveys may be indexed by search engines, as observed by BleepingComputer.
Typeform surveys and online forms indexed by search enginesSource: BleepingComputer
Behind the scenes, Typeform's systems use this form ID throughout workflows to keep track of form submissions and transmit collected data between different parts of the application.
Under normal circumstances, knowledge of this form ID would merely let any user access and fill the corresponding survey.
However, a severe vulnerability in Typeform meant, attackers could covertly gather responses submitted by respondents for virtually any form, should they have knowledge of this ID.
Broken Zendesk integration lets attackers hijack submissions
Without explicitly naming Typeform, bug bounty hunter Ronak Patel recently provided details on an Insecure Direct Object Reference (IDOR) bug that impacted "an app [used] to generate forms for surveys, quiz and more."
On further investigation, BleepingComputer identified the flaw had existed in Typeform.
IDOR vulnerabilities occur when a system object which has a reference can be accessed in an unauthorized manner directly by users.
In this case, the object refers to a Typeform form/survey and the reference is the "form_id" that can let attackers tap into the data submitted for a f ..
Support the originator by clicking the read the rest link below.
