I have a security concern about Softr that it may be possible to update another user’s records.
Allow me to setup the scenario to illustrate.
You built a Softr app for vinyl record collectors, it has the following pages:
- Vinyl Records: Has a list block showing vinyl records
- Collection: Has a list block showing vinyl records added to a user’s collection
- Listening Session: Has a list block showing a user’s listening sessions of vinyl records in their collection
Here’s how the security incident happens.
User goes to Vinyl Records page, clicks on the Add To Collection item button on some vinyl records, these vinyl records are added to the user’s collection and are now visible on their Collection page.
User goes to the Listening Session page, clicks on the New Listening Session top bar add record button, this creates a new listening session/record. On the list item for the new listening session, the user clicks on the Add Vinyl Record open page button which opens the Collection page with URL vinylrecordsapp.softr.io/collection?recordid=123456789 where the user can add collected vinyl records to their selected listening session.
Now on the Collection page, the user clicks on the Add to Listening Session one-click-update button that takes the listening session record ID parameter from the URL and adds it to a Listening Session to Add Vinyl Record To linked record field, which triggers a script to run in Airtable that appends the collected vinyl record’s record ID to the selected listening session record (since Softr can’t append to linked record fields, only overwrite them).
So where is the security issue?
It’s the record ID parameter from the URL: vinylrecordsapp.softr.io/collection?recordid=123456789
If the user were to share this URL with another user (which they will, to their knowledge it’s the link to their collection of vinyl records, and of course they want to share this with others and show it off), and user 2 clicks it and then repeats the above step 3, then user 2 is appending vinyl records from their collection to the listening session of user 1 instead of to their own listening session.
Record IDs are basically passwords, and if they get shared there’s no stopping a situation like this from happening.
If you know what you are doing, you could flood another Softr app with unwanted changes or records and possibly exceed their Airtable plan record limit. Think denial of service attack (DoS).
If you’re aware of a way to prevent this from happening that I’m clearly not aware of, please do tell. I’d love to improve the security of my app.
I love Softr, and this is probably a fringe case (the nature of it being a Collection page that’s naturally sharable increases this a bit though), but I want my app users to have the best experience possible and I would hate to receive complaints because this inadvertently happened.
Hoping that someone can point me in the right direction on how to prevent this, or Softr can fix it.
P.S. - I hit a brick wall in the development of my app recently when I realized that drop down menus can’t dynamically display only a user’s linked records, then I realized step 2 in the above scenario is a workaround to fix this - very exciting! But also, it’s a security issue, lol.