Typeform Patched an Information Hijacking Vulnerability


Online survey and form creation tool Typeform allows clients to make website pages for easy information gathering from clients. Each such form made on the platform has a special "form ID, for example, hHXhmf, which on account of publicly accessible surveys might be listed via search engines. Typeform's systems utilize this form ID all throughout work processes to monitor form submissions and transmit gathered information between various parts of the application. Under typical conditions, information on this form ID would just allow any client to access and fill the corresponding survey. A serious vulnerability in Typeform implied, assailants could secretly accumulate responses put together by respondents for virtually any form, should they know about this ID. 

 Typeform's bug tracker Ronak Patel recently gave details on an Insecure Direct Object Reference (IDOR) bug that affected "an application [used] to create structures for surveys, quiz and more." IDOR vulnerabilities happen when a system object which has a reference that can be accessed in an unapproved way directly by clients. For this situation, the object implies a Typeform form/survey and the reference is the "form_id" that can allow assailants to take advantage of the information submitted for a form.

Typeform permits integration of applications and web services like Google Analytics and Zendesk Sell to help upgrade the handling of form submissions. For instance, survey creators can utilize the Zendesk Sell application and guide the survey response fields to the Zendesk Sell fields in their account for data analysis. Patel made a test Zendesk Sell account and incorporated it with his Typeform account. He noticed the network requests, including the GET and POST fields, being traded among Typeform and Zendesk Sell all throughout the integrated workflow. Then the "form_id" field, drew his attention.

The researcher moreover made an "attacker's" Zendesk Sell account for testing and saw it was conceivable to tamper with the "form_id" field being communicated in the integration request to an arbitrary value, for example, the form_ID of a Typeform survey belonging to the victim. This implies cybercriminals could reap the gathered survey responses inside their Zendesk Sell accounts, with the survey creator having no information on the unlawful activity occurring. 

Patel states the vulnerability was found by him around six months ago and fixed two months ago by the platform.