Security of personal data in published forms

Hi all,

I’m creating a form that lets members of an organization update their personal data in the member data base. Since including sensitive data in query links is insecure and forbidden, I created a way around this issue and would like to hear some feedback now from the security experts among us.

This is my idea:

  1. Generate a hash value column from all other columns for each row in the “personal data” table
  2. Send an email to every member with a link to the form of the “updated personal data” table and only the hash value ID as a pre filled, hidden, lookup value
  3. Pull all current sensitive data into the form as related columns of the ID lookup
  4. Let members submit their updated data, so you can override the original table after you checked the submissions

This is my doc:

Published Doc Link

I haven’t implemented the mail feature in this show doc, but you can click the individual form links.
Since it is necessary to include all lookup columns in the security settings, I have a few concerns:

  1. Is it possible for people with one link to show the hidden ID column and to select one of the other lookup IDs?
  2. Is the lookup table or the table behind the form accessable with simple hacking skills like sql injection?
  3. Would it improve the security to not store the hash values in the table but to evaluate them just in time?
  4. Is it still insecure to send those sensitive data back and forth via forms?

Thank you very much in advance,

best regards

Marius

hi @M_Schneider ,

It looks good to me, though I am not a security expert. My experience with forms and data exchange is that most of the time the data is visible in the URL and ‘it people’ are concerned about the row Id’s and try to find a way around it (row id or alternatives as key) to disable the option to empty their base via creative browsing.

For example, when using Paperform with Coda via Zapier the data is in the open and I guess this is what Coda is warning for.

I am not sure how ‘easy’ someone can translate the valus back to ‘human readable values’. How do you do that in Coda by the way in case you would need to?

Second, how are you matching the updated values with the existing ones? Based on what?

I added the Crypto::SHA256() to a form URL and noticed that if you have one empty value, this logic breaks. For example if you have a field for comments and nothing is written, the link is broken. How would you suggest to work around this? Maybe an automation that first fills out something before encrypting it?

1 ) Yes you can add any kind of ID as matching value, once hashed it seems to me not so important what kind of ID you use like RowId / Created / Random Integer (via an automation) or a combi of these.
2) I don’t know
3) everything you can do on the flow is better for performance I guess, once some one is in your table everything is in the open.
4 ) if you can make sure that every bit of data is encrypted in the URL, I would consider it as okay. As said before the main worry is that most of the time, the data is very well readable transmitted.

Best, Christiaan

1 Like

hi @M_Schneider

I just tried to create a URL based on your idea to apply Crypto::SHA256(), but it appears it doesn’t work like that. I created a functioning URL , but it did not pre-fill, so I am afraid this trick won’t work.

Maybe others have insights I overlook

And if it does not work, the main issue remains, data flows over the internet. I am using these forms for simple things like feedback on calculations, reservations, evaluations etc

Cheers, Christiaan

1 Like

Hey @Christiaan_Huizer ,

thanks for your commitment! Did you copy my doc for testing? This should give you a little more detailled insight in my work and how I made the links work. :wink:

Since there aren’t that many columns I matched the columns by hand, this formula can be found in the “update original table” button column.

The hashes practically can’t be translated back, a randomly generated key would also work in this case, but I wanted it to be deterministic and reproducable.

Thanks for showing me that bug, it always appeared when changing data, but the new link began to work a few seconds after the change.

  1. Seems like I phrased my question wrong, I wanted to know if it is possible for attackers to make them visible.
  2. From the performance point of view it should be more efficient to use pre calculated values from a table, but yes, that was my concern.
  3. The data that gets pulled via lookup is not encrypted (by me)

Sure, the data also travels over the internet when I’m working on my doc, but in this case I’m quite positive that it is encrypted. The question is, how is the lookup traffic protected?

Best regards

Marius

hi @M_Schneider

I am afraid I misunderstood you, I assumed you wanted to use a form outside Coda, but if I understand correctly you want to invite all the users in the doc and you do not want to see them values you pull in via the lookup. Correct?

I can read all the values in the doc without copying the doc, but if you open it, I can enter it :wink:

Cheers, Christiaan

Hey @Christiaan_Huizer ,

no you didn’t, I do want to use the form outside of Coda. But yes, I want people to see only the lookup values that are connected to the ID of their link. If I made the ID column visible, everyone would be able to select every ID in the table.

Please copy it for yourself if you want to take a look under the hood, I don’t want people to make changes on this one. :wink:

Maybe I didn’t make myself clear, the doc already performs exactly like I want it to and I can’t detect any security issues by myself. That’s why I need some security experts or Codans to take a look on it and try to “attack” it.

Hackers would also have these information about codas technology.

Best regards

Marius