- dkernsAsked on January 29, 2016 at 12:57 AM
I am seriously concerned that Jotform is not encrypting files that are uploaded via forms on your server. I am very positive this is the case for the following reason:
1.) I used the API to perform a Get Submission for an encrypted form that had been submitted that also contained a file upload.
2.) The API returned JSON representation of the form content that was submitted. All of the input fields were encrypted as expected but the file upload field clearly referenced where the file upload was stored on your servers.
3.) Using the filename referenced I attempted to access the file from my browser. I was surprised to be able to see the image I had uploaded. Because it was the same machine I had my private key installed on I thought maybe that was the reason I was able to clearly see content that I thought was securely encrypted.
4.) My next test was to access the same URL https://files.jotform.com/jufs/dkerns/60118754516152/329845334081809405/YDT_Header.jpg from my mobile phone. I was able to see the file. I knew this should have never worked.
5.) I then went to another laptop and attempted to access the file and was able to see it. Not only am I able to access the file over HTTPS but I can see the file using HTTP as well. This file should never be viewed or downloaded over an non-secure HTTP connection. So no encryption on the file on your server and I don't require any authentication or private key to access it .... WOW.
I believe this is a serious breach in security and exposure if I'm uploading files to your server, they aren't being encrypted and are accessible by anyone gaining access to the right file name. When I request encrypting the form this has to include uploaded content since in some cases this would be the most sensitive information transmitted.
You have a serious issue here.
Please let me know that this will get high priority. This is not an issue that can be put in a development queue. This is very serious and is misrepresenting Jotform's security management and system to the customer. Many of us have come to Jotform because they offered encrypted/secure forms.
- JotForm UI DevelopermertAnswered on January 29, 2016 at 08:53 AM
Yes, you are right about this one, someone with uploaded file URL can access the file even if the form is encrypted. However, If someone get some data from API, it has an authentication. Please, check the related information from the link below:
So, the user who don't own the account can't access its data in the first place. At the end, they can never get the URL of the uploaded file. In this stage, I need to ask you that does the account which you took data by API belong to you and you logged in to it?
I'm waiting for your answer.
- dkernsAnswered on January 29, 2016 at 09:56 AM
I understand API authentication keys, session level and file based security acceptable practices to ensure confidential information can't be compromised. I have extensive experience in development and have lead the technology team against internal and external auditors for a large organization with these exact types of exposures.
Yes I am the owner of the API key that was used to obtain the file name of my downloaded file. Your statement "So, the user who don't own the account can't access its data in the first place" is 100% incorrect. I've proven that already.
We can't overlook the fact that you are storing my confidential content on your servers and it can be accessed without authentication and over HTTP (not even secured in transport over SSL). I requested that the form be encrypted. Jotform states that the content is encrypted on your servers which is false for uploaded files.
So the end result is:
1. Jotform does not encrypt my uploaded content with a public key before storing it on your server. 2. Anybody, in your organization, who has access to the file server can view my uploaded content without needing my private key to decrypt it.
3. Anybody on the entire WWW can view my file without authentication or having my private key. Additionally they can view my content over a non-secure HTTP connection.
To think that because someone can't obtain the file name they can't get to the file is like saying I just left a Rolls Royce in my driveway with the doors unlocked but I covered it up so nobody could see what it is. And now to expect that it will never be stolen.
Your file server is completely open and insecure in that anybody can see my confidential content. In that it is clearly visible indicates that your files can be seen by Web spider programs or even an average hacker that just wants to explore. Unless I am wrong and you have some unseen control from preventing this please let me know.
Please consider this a major risk and escalate to your upper management. I hope to hear from you soon.
- JotForm UI DevelopermertAnswered on January 29, 2016 at 11:26 AM
Don, I agree your thoughts since the beginning of the conversation. I just wanted to know some information about API authentication while you were getting information. However, this is still a serious security hole in our file server. With URL information, anyone can monitor your uploaded files, because they are not encrypted even if the form is encrypted, so I'm going to escalate this thread to our developers and they will be on that issue as soon as possible. When there is an update about it, you will be received information from this thread via email.
Thank you for your cooperation and understanding.
- dkernsAnswered on January 29, 2016 at 11:48 AM
Thank you very much.
I really want to propose Jotforms to my client but will need to wait for this hole to be filled in a bit. I will watch this thread and wait for a response, crossing my fingers that development realizes the importance and addresses it quickly.
- JotForm UI DevelopermertAnswered on January 29, 2016 at 11:55 AM
Don, you are most welcome. I understand your concerns and your feedback about this issue is really important to us. If your account will have sensitive data, this issue could be more important to you. As I mentioned earlier, news will be monitored on this thread.
- JotForm SupportKiranAnswered on August 24, 2016 at 02:12 PM
Unfortunately, there is no update yet on the issue. If there is any update in this regard, you'll be posted here.
Your question is moved to a separate thread and shall be addressed there shortly.
- KadeJMAnswered on November 02, 2016 at 09:31 AM
We would like to let you know that we've taken additional steps to help our maintain secure uploads.
To find out more please check out our blog https://www.jotform.com/blog/259-Keeping-Your-Uploads-Secure for all the details.
- expeditedtxptAnswered on January 06, 2017 at 02:42 PM
It sounds like the authentication issue has been addressed. Is there a fix (or plans to fix) the http/secure transport issue as pointed out by dkerns? Thank you.
"We can't overlook the fact that you are storing my confidential content on your servers and it can be accessed without authentication and over HTTP (not even secured in transport over SSL)."
- KadeJMAnswered on January 06, 2017 at 04:10 PM
I see that you've got a related follow-up question to the initial thread issue with uploaded file security so I've moved yours to a new thread for us to answer separately as a newer question over here.