What is JotForm?
JotForm is a free online form builder which helps you create online forms without writing a single line of code. No sign-up required.

At JotForm, we want to make sure that you’re getting the online form builder help that you need. Our friendly customer support team is available 24/7.

We believe that if one user has a question, there could be more users who may have the same question. This is why many of our support forum threads are public and available to be searched and viewed. If you’d like help immediately, feel free to search for a similar question, or submit your question or concern.


  • Profile Image

    Jotform - Do you delete posts that expose security vulnerabilities within Jotform? It appears so.

    Asked by iStore on July 28, 2011 at 01:13 PM

    Do a forum search for 'sham'. The first link is related to password protected form vulnerability / bug. However, when you click it, it takes you to a different post. That 'Sham' post was posted by me in the form of a concern looking for a solution from Jotform. Evidently you don't have a solution so you have deleted the post or re-directed it to the post that gives the instructions on how to password protect access to your form, but still no mention that those passwords can be seen by anyone and everyone in the source (html) of the page.

    C'mon Jotform, I really like what you guys are doing, but step up and fix this issue and stop deleting posts that are informative (although a bit damning for jotform) and helpful to your users.

    Page URL:
    http://www.jotform.com/answers/search.php?search=sham

  • Profile Image
    JotForm Support

    Answered by NeilVicente on July 28, 2011 at 02:50 PM

    Hi,

    As far as I remember, I have only set your post to private, because of nature of the language used in it. I am not sure who deleted it but if I remember correctly, we have posted our responses in that thread. You should have received the responses in your email.

    Now moving on to this security vulnerability issue that you were talking about. Like what I have mentioned in my response, the password protection 'feature' that we suggest to users is merely a workaround, since our Form Builder does not really have any password protection of sort.

    The passwords show in the source code of the form because variables used for conditions are in fact placed inside the source code. It is up to you if you want to use it, knowing that the password is in the source. Still, I'd like to reiterate that is just a workaround and that we do not have a native password protection feature for forms.

    I will submit a ticket to see if there's a way to remove the condition variables from the source and hide it somewhere. Will let you know of any updates.


    Neil

  • Profile Image

    Answered by iStore on July 28, 2011 at 03:40 PM
    There was no offensive language as you suggest. Forums are used to educate and assist users. Your deletion of it appears to be for other reasons, perhaps self-serving. I do appreciate you trying to find a better solution. I would suggest either a change in the name of the feature from 'password' or a dialogue box that explains the vulnerability when placed on a form. 'Password' implies secure. Which, as we have discussed exhaustively, this 'feature' is definitely not. I apologize if I seem too persistent with this issue, I just feel it is irresponsible to mislead users into a false sense of security, whether it is intentional or merely negligent. I am sure many companies use your forms for highly sensitive information. Especially considering the posts and information on here regarding https and how secure and safe jot form claims to be. I wonder if this post will be made 'private' due to the nature of the language again.
  • Profile Image
    JotForm Support

    Answered by NeilVicente on July 28, 2011 at 03:52 PM

    Hi,

    To my judgement, 'holy crap' is not something we'd like our users to read in this forum. 

    Anyway, I personally apologize for failing to remind our users that 'passwords' are visible in the form's source code, especially since I was responsible for writing one of the threads referenced when that workaround gets suggested to our users.

    Like I said, I have already submitted a ticket to our higher ups to see what can be done with this issue.

    Thank you very much for your patience and understanding.


    Neil

  • Profile Image
    JotForm Founder

    Answered by aytekin on July 29, 2011 at 05:16 AM

    I'm not sure what happened to that forum post. One of our support team members might have not liked the language or thought that it might be a good idea to hide a possible security problem for other users.

    We try to be very transparent. We have not hidden any negative posts in the past. I think being transparent is good for us and if we have anything to be ashamed of, it is better to fix it then to try to hide it.

    We do edit the forum posts time to time. Sometimes our users enter their private information etc. Sometime the post or the title is too confusing and we edit to clear the meaning.

    Regarding password protection of forms: JotForm does not have such feature. This is just a hack around. Since the conditions are run on the client side JavaScript, if you create a condition such as "if the password field equals to 'secret password', show the page", the "secret password" part can be seen by looking at the source code of the page. So, anybody using that hack should be aware of that possibility.  

    We should probably add such a feature so that our users do not have to use hacks that might not be secure. We should also warn users who use that hack that it is unsecure.

    Thanks for keeping us in our toes. :)