How secure is the edit link of the submission?

  • Profile Image
    Jon Eckstein 
    Asked on November 10, 2016 at 02:25 AM

    Hi JotForms,

    I've been playing with the v4 builder and really liking it!  I've been looking for a service that allows the user to go back and view/edit their answers at a later date as I'm building a fairly complicated form flow with multiple pages and multiple forms.  

    My question is the following:

    I understand how the edit links work and I was able to get it working within an iframe which is great, but I'm a little worried about the edit links themselves.  How secure are they?

    If I'm a hacker and I want to get someone's jotform answers couldn't I just get lucky by entering the edit url in a browser:

    https://form.jotform.com/edit/<some_random_number>

    where <some_random_number> is some random number that gets filled in via a script?

    I hope that's clear, thanks for any help.

    -Jon

  • Profile Image
    Welvin
    Answered on November 10, 2016 at 02:34 AM

    Thank you for the feedback about the new form builder.

    As for the Edit URL, the numbers are open and if one can guess it, they should be able to get the data on the form. But I don't think someone should be able to guess the number considering its length. If that really matters to you, I'll be happy to send this to our backend team. Let me know. 

  • Profile Image
    jeckstein
    Answered on November 10, 2016 at 03:44 AM
    It's not a matter of a human guessing it, it's a matter of someone writing
    a script that runs through a trillion numbers and gets it.
    Yes, please send to the backend team as I'm wondering if there's an added
    layer of security that can be put in place like requiring a header with a
    client key or something similar.
    Thanks.
    ...
  • Profile Image
    owen
    Answered on November 10, 2016 at 03:55 AM

    Hi Jon,

    Security and confidentiality of our users while using JotForm are the most important fundamentals that we care about. Since you have come to us with a concern at these matters we will be glad to be working on this and make the all the necessary fixes possible. 

    I am now forwarding this concern of yours to our developers and you will be notified when they come up with a solution for it. 

    Please contact us whenever you need assistance. We will be glad if we can be of any help. 

  • Profile Image
    jeckstein
    Answered on November 16, 2016 at 12:44 AM
    Hi Owen,
    Are there any updates on this issue? I would really love to implement an
    embedded Jotform solution into an app I'm working with. But the risk of
    data exposure with the current edit endpoints isn't workable, I'll be
    dealing with a lot of sensitive data.
    Thanks for any help.
    -Jon
    ...
  • Profile Image
    owen
    Answered on November 16, 2016 at 01:51 AM

    Hi again Jon,

    The issue has already been forwarded to the related team. However, I am not able to provide a timeframe since it completely depends on the current workload of the team. We will let you know as soon as there is an update about this issue.

    Thank you for contacting us. 

    Kind Regards