What is JotForm?
JotForm is a free online form builder which helps you create online forms without writing a single line of code. No sign-up required.

At JotForm, we want to make sure that you’re getting the online form builder help that you need. Our friendly customer support team is available 24/7.

We believe that if one user has a question, there could be more users who may have the same question. This is why many of our support forum threads are public and available to be searched and viewed. If you’d like help immediately, feel free to search for a similar question, or submit your question or concern.


  • Profile Image

    Why is my uploaded file link unsecured in my account and not just sent to Dropbox?

    Asked by sophrokhepri on October 26, 2016 at 01:21 PM

    Hello,

    my form:

    https://form.jotformeu.com/xxxxxxxxxxx

    this form sends confidential files to my secured dropbox using your dropbox api.

     I was very surprised to see that the files are also available directly in my unsecured folder:

    http://files.jotform.com/jufs/soxxxxxxxxxxxxxxxxx.jpg

    Why is this file on your server in my upload area because I chose to place it on my dropbox ???

    Have I missed a step?

    whoever has the link has the file .

    How can I corect this

    If I use my dropbox I don't want these files to be also in my unsecured upload zone.

    Why is this zone public access?

    This is urgent and mandatory for me

    I count on an answer and fast correction of this hudge security problem

    You are claiming to do https to secure but, what's about the files?

    I put this question public, so I didn't gave the full links.

  • Profile Image
    JotForm Support

    Answered by KadeJM on October 26, 2016 at 04:18 PM

    I see that you're wondering what's going on with uploaded files from your form that you wanted to only be stored in dropbox.

    What you are seeing is normal and is the way that our dropbox integration functions which is to upload and store the file and it's associated submission within your account at which point a copy is also thereafter sent to be stored within your dropbox if enabled. This is also how our system determines your usage (ie: uploadspace, submission counts, etc).

    The only way around that problem is to either delete the submission containing the file from your account and keep the copy in your dropbox or alternatively we also have an Autodelete App that would delete it shortly afterwards that you might find useful to automate this process.

    Also, the file links are indeed secured unless you've done something to unsecure your form but, if not then that could possibly mean that our devs might be fixing or updating something temporarily.

    I tested this with one of my own images and it is secured with https to confirm it.

  • Profile Image

    Answered by sophrokhepri on October 28, 2016 at 08:50 AM

    Hello from France

    Sophrokhepri here.

    I think that you consider that as long as it uses https, a file is secured!!

    few questions for jotform:

    Please answer them quickly

    1 - secured also wants to mean private yes or no?

    2 - a private post on whatever system must only be read by the sender and the receiver Yes or No!

    3 - We use SSL to secure file transfer, is it very useful if once uploaded on your servers access to that file is public YES or No?

    4 Autodelete.App does it delete the whole submition or just the uploaded files, it seems that the whole submition is deleted YES or NO?
    looking at the reviews  here http://apps.jotform.com/app/auto_delete_submissions
    It seems that it deletes submitions but not the files yes or No

    more to come on next post (not enough space)

  • Profile Image

    Answered by sophrokhepri on October 28, 2016 at 09:19 AM

    second part  of the post...

    5 -  I can't understand why all files and datas in my private area are not private, this wants to mean that everyone can read everyone's uploaded files

    6 -  my file are concerning medical datas and are really privates, I didn't imagined a so terrific lack of security of a company like Jotform.

    You can't say that your files are secured give me the link of one of your files, (not your password) and I will retrieve it !!!

    I is just like if your storage in the cloud is readable by everyone once we have the link.

    looking at the reviews  here http://apps.jotform.com/app/auto_delete_submissions

    It seems that it deletes submitions but not the associated files. yes or No

    I tried with a test file, one of my uploads is https://eu.jotform.com/uploads/sophrokhepri/52202499676362/353308244831968407/Chaises.JPG

    I deleted the submission

    and the file is still there and can be accessed by everyone.

    NO WAY TO DELETE IT (I am terrified)

    so everyone can acces my files and no way to delete or protect them!!!

    If you don't correct this, I will publish that Jotform is not PRIVATE 

    even free apps like wetransfer are more private than jotform

    I think you have to transfer this post to devlopers 

    your concept of security is like if I use a secured truck to carry my money and a bank wher you can't lock the door.

    Sorry to be bad but I avn't the choice
    This post is thought to be constructiv.

    Philippe

     

  • Profile Image
    JotForm Support

    Answered by KadeJM on October 28, 2016 at 10:22 AM

    I do apologize that this has caused such a major concern for you and I believe I understand what you are getting at about it.  I've answered a few of your questions below but I also want to inform you that I have passed this thread of yours over to our developers to alert them of this concerning situation which you are seemly upset about so that we can check on this more to rectify it if needed.

    1 - secured also wants to mean private yes or no? 

    Https secures it as ssl and also Form Encryption is a good idea also to secure the data with it.

     

    2 - a private post on whatever system must only be read by the sender and the receiver Yes or No!

    Are you referring to a submissions as the private post that was sent to you by whom submitted it?

     

    3 - We use SSL to secure file transfer, is it very useful if once uploaded on your servers access to that file is public YES or No?

    No, the file should only be accessible by you and the person that submitted it to you unless you opt to share it with others.

     

    4 Autodelete.App does it delete the whole submition or just the uploaded files, it seems that the whole submition is deleted YES or NO? looking at the reviews  here http://apps.jotform.com/app/auto_delete_submissions. It seems that it deletes submitions but not the files yes or No?

    The Autodelete App deletes the entire submission and the submission includes the file that was uploaded so that should be deleted along with it to my current knowledge this is how it functions.

     

    5 -  I can't understand why all files and datas in my private area are not private, this wants to mean that everyone can read everyone's uploaded files.

    It should be private unless you've shared it somehow but, we'll check on this more to investigate.

     

    6 -  my file are concerning medical datas and are really privates, I didn't imagined a so terrific lack of security of a company like Jotform.

    I understand your concerns here and we will double-check on this as well.

  • Profile Image

    Answered by sophrokhepri on October 28, 2016 at 11:31 AM

    Hy Kade,

    point 3 and 5 of my post

    try this one that I deleted 1 hour ago:

    https://files.jotform.com/jufs/sophrokhepri/52202499676362/353308244831968407/Chaises.JPG

    right now i have an error :

    <Error>

    <Code>AccessDenied</Code>

    <Message>Access Denied</Message>

    <RequestId>A72B65578F618F32</RequestId>

    <HostId>BWOFtf1Mq9gjJQhvbvem8mJeHZBD6AUDuTxaen39vZs/zNYvS5id/tCSCtIK9nKGL/xhtpCsPbk=</HostId>

    </Error>

    but try this one that Ididn't deleted. and try it even not logged in jotform account.

    https://eu.jotform.com/uploads/sophrokhepri/52202499676362/353303550831744897/arjo.JPG

    everybodi can see or dowload the file.

    point 2 of my post

    Yes privacy is beetween sender and reciever, and no one else: imagine for example that everybody could have acces to all the included files sent by others on your mailbox.

    point 5 of my post

    how could i shared this ???

  • Profile Image
    JotForm Founder

    Answered by aytekin on October 28, 2016 at 12:27 PM

    1. There was a problem with deleted files still being available. It was happening because we still had the deleted files in our cache. This problem should now be fixed. The deleted files should not show up any more and show that error message you have posted. 

    But, if you see deleted files still showing up, let us know and our support team will make sure that their caches are cleared. 

     

    2. Since we send the link for the uploaded files in the emails they are available from a impossible to guess URLs. They can only be seen if the someone knows the URL which is private.

    If you are getting highly sensitive uploads, and can't have them available to anyone who has the URL like that, unfortunately, there is nothing we can do at this time, you must delete your submissions and stop using JotForm for such file uploads. 

    This is something we will look into though. 

    There is an the auto-delete submission app which automatically deletes your submissions. Once the submission is deleted the uploaded file will also be gone. You can also give that a try. 

    https://apps.jotform.com/app/auto_delete_submissions

     

     

  • Profile Image

    Answered by sophrokhepri on October 28, 2016 at 02:00 PM

    Do you know any private cloud storage like microsoft or google drive where the only protection is just "hard to guess" file c

    if I use encrypted form, do you also encrypt uploaded files like claimed in your webpage:

    Encrypted Forms Keep your form data completely private

    or maybe uploaded files are not considered as "data"

  • Profile Image
    JotForm Support

    Answered by BDAVID on October 28, 2016 at 05:04 PM

    I don't really know of any other private cloud storage that has other protection than "hard to guess". 

    On regards of encrypted forms, the uploaded files are left as they are, meaning that any file that gets submitted on your form (photo, document, etc) is left unchanged and will be passed as such to your integration. 

    Here is more information about the encryption feature: https://www.jotform.com/help/344-Encrypted-Forms-and-How-to-Use-Them

  • Profile Image

    Answered by sophrokhepri on October 29, 2016 at 04:34 AM

    hello from france

    to BDAVID :

    In all the cloud storage services I know (googledrive, amazonS3, dropbox, ovh hubic, apple, microsoft,.. protect acces to the customer's file in another way than "hard to guess" protection that is definityvely not sufficient in our hacker's world.

    to AYTEKIN, thanks to pass this to him:

    right now i use autodelete on my forms, it work for the form data but my downloads are still there, my submiters can see regarding the pdf they recieve that their files are still there at the time they recieve the pdf

    example :

    http://files.jotform.com/jufs/sophrokhepri/52202499676362/353536244651630428/3.jpg
    posted 29-10-2016 09:44:12 my time and still accessible 40 minutes after!

    How many time to you need to delete a file ?

    I repeat your answer, AYTEKIN :

     There is an the auto-delete submission app which automatically deletes your submissions. Once the submission is deleted the uploaded file will also be gone. You can also give that a try. 

    so I gave a try and it doesn't work

    to summarize :

    1- Do what you say, when you delete a file, delete it.

    2- why don't you put options on auto-delete apps to delete just the uploaded files

    I am in one of your european server, I don't think that the european data protection will be pleased to know this fact

    you also told me:

     There was a problem with deleted files still being available

    I correct your answer

     There is still a problem with deleted files still being available 24 hours after your post

    Please do what you say.

    I am sorry to develop publicly all this but you can email me if you want more private discussion.

    Thanks for your action

    One of your cutomer, Philippe

  • Profile Image

    Answered by sophrokhepri on October 29, 2016 at 04:51 AM
  • Profile Image

    Answered by sophrokhepri on October 29, 2016 at 05:19 AM

    update:

    http://files.jotform.com/jufs/sophrokhepri/52202499676362/353536244651630428/3.jpg

    still there 90 minutes after deletion !

    what are you doing?

  • Profile Image

    Answered by sophrokhepri on October 29, 2016 at 08:43 AM

    Answered by sophrokhepri on October 29, 2016 at 05:19 AM

    update:

    http://files.jotform.com/jufs/sophrokhepri/52202499676362/353536244651630428/3.jpg

    still there 5 hours after deletion !

    and the bookmark you include in the pdf you sent after submittinh is in not in https, where is the security?

    ????????????????

  • Profile Image

    Answered by sophrokhepri on October 29, 2016 at 11:58 AM

    thereis someone to care if my problem?

  • Profile Image
    JotForm Support

    Answered by paulsimpson on October 29, 2016 at 02:03 PM

    Hi

    The file has now been deleted. Apologies for the delay on this matter

    Paul

  • Profile Image

    Answered by sophrokhepri on October 29, 2016 at 10:20 PM

    sorry Paul but Apologies are not sufficient.

    What happent?

    will it be se same in the future?

    will I be obliged to ask you to delete the files I delete?

    is there any workaround?

    -an other try this morning

    autodeleted form

    4 hours later files are stll there

    example:

    http://files.jotform.com/jufs/sophrokhepri/52202499676362/353624847651913432/C70.jpg

    How reliable are your answers?

     Philippe

  • Profile Image
    JotForm Support

    Answered by EltonCris on October 30, 2016 at 09:05 AM

    That file is now deleted.

    This thread is still on the developer's list. I'm pretty sure they're still working on a solution about this matter. You will receive updates from them here with regards to your concern.

    Thanks!

  • Profile Image
    JotForm Support

    Answered by EltonCris on October 30, 2016 at 09:16 AM

    @Philippe

    By the way, I've made some tests with using the auto delete app and you're right, it is still not instantaneously deleting the uploaded files - only the submissions data. I will submit this issue to our developers on a separate thread here. Hopefully, someone would enhance this app and make it work with deleting the uploaded files too.

    However, manually deleting the submissions in the form submissions page is now deleting the uploaded files instantly. We suggest to do this at least for now.

    Thanks!

     

  • Profile Image
    JotForm Support

    Answered by BDAVID on November 02, 2016 at 12:13 PM

    Update: our developers have just implemented a feature to make uploads more secure, if you enable it, the links are only accessible when you are logged into your JotForm account: https://www.jotform.com/blog/259-Keeping-Your-Uploads-Secure