Typeform's bug tracker Ronak Patel recently gave details on an Insecure Direct Object Reference (IDOR) bug that affected "an application [used] to create structures for surveys, quiz and more." IDOR vulnerabilities happen when a system object which has a reference that can be accessed in an unapproved way directly by clients. For this situation, the object implies a Typeform form/survey and the reference is the "form_id" that can allow assailants to take advantage of the information submitted for a form.
Typeform permits integration of applications and web services like Google Analytics and Zendesk Sell to help upgrade the handling of form submissions. For instance, survey creators can utilize the Zendesk Sell application and guide the survey response fields to the Zendesk Sell fields in their account for data analysis. Patel made a test Zendesk Sell account and incorporated it with his Typeform account. He noticed the network requests, including the GET and POST fields, being traded among Typeform and Zendesk Sell all throughout the integrated workflow. Then the "form_id" field, drew his attention.
The researcher moreover made an "attacker's" Zendesk Sell account for testing and saw it was conceivable to tamper with the "form_id" field being communicated in the integration request to an arbitrary value, for example, the form_ID of a Typeform survey belonging to the victim. This implies cybercriminals could reap the gathered survey responses inside their Zendesk Sell accounts, with the survey creator having no information on the unlawful activity occurring.
Patel states the vulnerability was found by him around six months ago and fixed two months ago by the platform.
Read more https://www.ehackingnews.com/2021/01/typeform-patched-information-hijacking.html