Secret leaks often occur when a sensitive piece of authentication data is stored with the source code of an application. Considering the source
code is intended to be deployed across multiple assets, including source code repositories or application hosting servers, the secrets might get
exposed to an unintended audience.
Why is this an issue?
In most cases, trust boundaries are violated when a secret is exposed in a source code repository or an uncontrolled deployment environment.
Unintended people who don’t need to know the secret might get access to it. They might then be able to use it to gain unwanted access to associated
services or resources.
The trust issue can be more or less severe depending on the people’s role and entitlement.
If an attacker gains access to a Typeform personal access token, they might be able to compromise the data that is accessible to the linked
Typeform account. By doing so, it might be possible for customer data to be leaked by the attacker.
What is the potential impact?
If an attacker gains access to forms and the data linked to the forms, your organization may be impacted in several ways.
Data compromise
Typeform often is used to store private information that users have shared through their forms. This is called Personally Identifiable Information.
The leaked app key could provide a gateway for
unauthorized individuals to access and misuse this data, compromising the privacy and safety of the application users.
In many industries and locations, there are legal and compliance requirements to protect sensitive personal information. If this kind of sensitive
personal data gets leaked, companies face legal consequences, penalties, or violations of privacy laws.
Phishing attacks
An attacker can use the Typeform access token to lure them into links to a malicious domain controlled by the attacker.
They can use the data stored in the forms to create attacks that look legitimate to the victims. In some cases, they might even edit existing forms
to lead users to a malicious domain directly.
Once a user has been phished on a legitimate-seeming third-party website, the attacker can trick users into submitting sensitive information, such
as login credentials or financial details. This can lead to identity theft, financial fraud, or unauthorized access to other systems.
How to fix it
Revoke the secret
Revoke any leaked secrets and remove them from the application source code.
Before revoking the secret, ensure that no other applications or processes are using it. Other usages of the secret will also be impacted when the
secret is revoked.
Use a secret vault
A secret vault should be used to generate and store the new secret. This will ensure the secret’s security and prevent any further unexpected
disclosure.
Depending on the development platform and the leaked secret type, multiple solutions are currently available.
Code examples
Noncompliant code example
import requests
token = 'tfp_DEueEgDipkmx52r7rgU5EC7VC5K2MzzsR61ELEkqmh3Y_3mJqwKJ2vtfX5N' # Noncompliant
response = requests.get('https://api.typeform.com/forms', headers={
'Authorization': f'Bearer {token}',
'Content-Type': 'application/json'
})
Compliant solution
import requests
token = os.getenv('TYPEFORM_PERSONAL_ACCESS_TOKEN')
response = requests.get('https://api.typeform.com/forms', headers={
'Authorization': f'Bearer {token}',
'Content-Type': 'application/json'
})
Resources
Documentation
Typeform Developers - Regenerate your personal access
token
Standards
