Major security concerns, widgets are asking for credentials in non secure URLs

  • Profile Image
    mckeeto
    Asked on February 26, 2016 at 05:07 PM

    Just signed up to test out your service. Was attracted by the ease of use and the available plugins. I will not be using the service however--you have major security vulnerabilities. When I went through the app integration process for Salesforce, I was prompted to enter my credentials. You are asking for these credentials on an unsecured web page and passing them (including password) in the clear. Its only a matter of time until someone hacks that connections (assuming they haven't already). A simple traffic sniffer would be able to get all users credentials for other sites. Major concern. 

  • Profile Image
    Kevin_G
    Answered on February 26, 2016 at 05:31 PM

    Thank you for letting us know that, it is very important for us to get that info from our users.

    However, I did test the integration and it loads over a secure URL. 

    Could you share us a screenshot about what you see on your end please? 

    This guide will help you to upload it: https://www.jotform.com/answers/277033-How-to-add-screenshots-images-to-questions-in-support-forum

     

  • Profile Image
    mckeeto
    Answered on February 29, 2016 at 09:45 AM
    I believe it loads over a secure URL *if* you are already on one. What I
    see is attached. As you can see, it is requesting my SFDC creds over HTTP.
    [image: Fairfax Athletics]
    Tyler McKee / Head Referee & Trainer
    tyler@fairfaxathletics.com / 703-470-9649
    Fairfax Athletics
    www.fairfaxathletics.com
    [image: Twitter] [image: Facebook]
    [image: Instagram]
    [image: Wordpress]

    ...
  • Profile Image
    Kevin_G
    Answered on February 29, 2016 at 10:59 AM

    Unfortunately, your image did not reach this thread. Please follow this guide to upload your image: https://www.jotform.com/answers/277033-How-to-add-screenshots-images-to-questions-in-support-forum

    I have tested trying to load our URLs over a non-secure URL(HTTP) and it redirects to a secure one (HTTPS).

    Please share us the screenshot about what are you seeing in your end, we will check that and other widgets that work in the same manner.