- Jon EcksteinAsked on November 10, 2016 at 02:25 AM
I've been playing with the v4 builder and really liking it! I've been looking for a service that allows the user to go back and view/edit their answers at a later date as I'm building a fairly complicated form flow with multiple pages and multiple forms.
My question is the following:
I understand how the edit links work and I was able to get it working within an iframe which is great, but I'm a little worried about the edit links themselves. How secure are they?
If I'm a hacker and I want to get someone's jotform answers couldn't I just get lucky by entering the edit url in a browser:
where <some_random_number> is some random number that gets filled in via a script?
I hope that's clear, thanks for any help.
- JotForm SupportWelvinAnswered on November 10, 2016 at 02:34 AM
Thank you for the feedback about the new form builder.
As for the Edit URL, the numbers are open and if one can guess it, they should be able to get the data on the form. But I don't think someone should be able to guess the number considering its length. If that really matters to you, I'll be happy to send this to our backend team. Let me know.
- jecksteinAnswered on November 10, 2016 at 03:44 AMIt's not a matter of a human guessing it, it's a matter of someone writing
a script that runs through a trillion numbers and gets it.
Yes, please send to the backend team as I'm wondering if there's an added
layer of security that can be put in place like requiring a header with a
client key or something similar.
- JotForm SupportowenAnswered on November 10, 2016 at 03:55 AM
Security and confidentiality of our users while using JotForm are the most important fundamentals that we care about. Since you have come to us with a concern at these matters we will be glad to be working on this and make the all the necessary fixes possible.
I am now forwarding this concern of yours to our developers and you will be notified when they come up with a solution for it.
Please contact us whenever you need assistance. We will be glad if we can be of any help.
- jecksteinAnswered on November 16, 2016 at 12:44 AMHi Owen,
Are there any updates on this issue? I would really love to implement an
embedded Jotform solution into an app I'm working with. But the risk of
data exposure with the current edit endpoints isn't workable, I'll be
dealing with a lot of sensitive data.
Thanks for any help.
- JotForm SupportowenAnswered on November 16, 2016 at 01:51 AM
Hi again Jon,
The issue has already been forwarded to the related team. However, I am not able to provide a timeframe since it completely depends on the current workload of the team. We will let you know as soon as there is an update about this issue.
Thank you for contacting us.