- iStoreAsked on July 28, 2011 at 01:13 PM
Do a forum search for 'sham'. The first link is related to password protected form vulnerability / bug. However, when you click it, it takes you to a different post. That 'Sham' post was posted by me in the form of a concern looking for a solution from Jotform. Evidently you don't have a solution so you have deleted the post or re-directed it to the post that gives the instructions on how to password protect access to your form, but still no mention that those passwords can be seen by anyone and everyone in the source (html) of the page.
C'mon Jotform, I really like what you guys are doing, but step up and fix this issue and stop deleting posts that are informative (although a bit damning for jotform) and helpful to your users.
- JotForm SupportNeilVicenteAnswered on July 28, 2011 at 02:50 PM
As far as I remember, I have only set your post to private, because of nature of the language used in it. I am not sure who deleted it but if I remember correctly, we have posted our responses in that thread. You should have received the responses in your email.
Now moving on to this security vulnerability issue that you were talking about. Like what I have mentioned in my response, the password protection 'feature' that we suggest to users is merely a workaround, since our Form Builder does not really have any password protection of sort.
The passwords show in the source code of the form because variables used for conditions are in fact placed inside the source code. It is up to you if you want to use it, knowing that the password is in the source. Still, I'd like to reiterate that is just a workaround and that we do not have a native password protection feature for forms.
I will submit a ticket to see if there's a way to remove the condition variables from the source and hide it somewhere. Will let you know of any updates.
- iStoreAnswered on July 28, 2011 at 03:40 PMThere was no offensive language as you suggest. Forums are used to educate and assist users. Your deletion of it appears to be for other reasons, perhaps self-serving. I do appreciate you trying to find a better solution. I would suggest either a change in the name of the feature from 'password' or a dialogue box that explains the vulnerability when placed on a form. 'Password' implies secure. Which, as we have discussed exhaustively, this 'feature' is definitely not. I apologize if I seem too persistent with this issue, I just feel it is irresponsible to mislead users into a false sense of security, whether it is intentional or merely negligent. I am sure many companies use your forms for highly sensitive information. Especially considering the posts and information on here regarding https and how secure and safe jot form claims to be. I wonder if this post will be made 'private' due to the nature of the language again.
- JotForm SupportNeilVicenteAnswered on July 28, 2011 at 03:52 PM
To my judgement, 'holy crap' is not something we'd like our users to read in this forum.
Anyway, I personally apologize for failing to remind our users that 'passwords' are visible in the form's source code, especially since I was responsible for writing one of the threads referenced when that workaround gets suggested to our users.
Like I said, I have already submitted a ticket to our higher ups to see what can be done with this issue.
Thank you very much for your patience and understanding.
- JotForm FounderaytekinAnswered on July 29, 2011 at 05:16 AM
I'm not sure what happened to that forum post. One of our support team members might have not liked the language or thought that it might be a good idea to hide a possible security problem for other users.
We try to be very transparent. We have not hidden any negative posts in the past. I think being transparent is good for us and if we have anything to be ashamed of, it is better to fix it then to try to hide it.
We do edit the forum posts time to time. Sometimes our users enter their private information etc. Sometime the post or the title is too confusing and we edit to clear the meaning.
We should probably add such a feature so that our users do not have to use hacks that might not be secure. We should also warn users who use that hack that it is unsecure.
Thanks for keeping us in our toes. :)