In most cases, trust boundaries are violated when a secret is exposed in a source code repository or an uncontrolled deployment environment.
Unintended people who don’t need to know the secret might get access to it. They might then be able to use it to gain unwanted access to associated
services or resources.
The trust issue can be more or less severe depending on the people’s role and entitlement.
If an attacker gains access to a Typeform personal access token, they might be able to compromise the data that is accessible to the linked
Typeform account. By doing so, it might be possible for customer data to be leaked by the attacker.
What is the potential impact?
If an attacker gains access to forms and the data linked to the forms, your organization may be impacted in several ways.
Data compromise
Typeform often is used to store private information that users have shared through their forms. This is called Personally Identifiable Information.
The leaked app key could provide a gateway for
unauthorized individuals to access and misuse this data, compromising the privacy and safety of the application users.
In many industries and locations, there are legal and compliance requirements to protect sensitive personal information. If this kind of sensitive
personal data gets leaked, companies face legal consequences, penalties, or violations of privacy laws.
Phishing attacks
An attacker can use the Typeform access token to lure them into links to a malicious domain controlled by the attacker.
They can use the data stored in the forms to create attacks that look legitimate to the victims. In some cases, they might even edit existing forms
to lead users to a malicious domain directly.
Once a user has been phished on a legitimate-seeming third-party website, the attacker can trick users into submitting sensitive information, such
as login credentials or financial details. This can lead to identity theft, financial fraud, or unauthorized access to other systems.
