Security News > 2021 > January > Typeform fixes Zendesk Sell form data hijacking vulnerability
Online surveys and form building software as a service Typeform has patched an information hijacking vulnerability.
The flaw which existed in Typeform's Zendesk Sell app integration could let attackers quietly redirect form submissions with potentially sensitive data to themselves.
Behind the scenes, Typeform's systems use this form ID throughout workflows to keep track of form submissions and transmit collected data between different parts of the application.
Typeform allows integration of apps and web services like Google Analytics and Zendesk Sell to help enhance the processing of form submissions.
The researcher additionally created an "Attacker's" Zendesk Sell account for testing and noticed it was possible to tamper with the "Form id" field being transmitted in the integration request to an arbitrary value, such as the form ID of a Typeform survey belonging to the victim.
"Summing up, using IDOR in this integration process, attacker could integrate his Zendesk sell account with any form without any kind of user interaction and could fetch all sensitive data received as a form response," said Patel.