Security Concern - Ability to Update Another User's Records

I have a security concern about Softr that it may be possible to update another user’s records.

Allow me to setup the scenario to illustrate.

You built a Softr app for vinyl record collectors, it has the following pages:

• Vinyl Records: Has a list block showing vinyl records
• Collection: Has a list block showing vinyl records added to a user’s collection
• Listening Session: Has a list block showing a user’s listening sessions of vinyl records in their collection

Here’s how the security incident happens.

1. User goes to Vinyl Records page, clicks on the Add To Collection item button on some vinyl records, these vinyl records are added to the user’s collection and are now visible on their Collection page.

2. User goes to the Listening Session page, clicks on the New Listening Session top bar add record button, this creates a new listening session/record. On the list item for the new listening session, the user clicks on the Add Vinyl Record open page button which opens the Collection page with URL vinylrecordsapp.softr.io/collection?recordid=123456789 where the user can add collected vinyl records to their selected listening session.

3. Now on the Collection page, the user clicks on the Add to Listening Session one-click-update button that takes the listening session record ID parameter from the URL and adds it to a Listening Session to Add Vinyl Record To linked record field, which triggers a script to run in Airtable that appends the collected vinyl record’s record ID to the selected listening session record (since Softr can’t append to linked record fields, only overwrite them).

So where is the security issue?

It’s the record ID parameter from the URL: vinylrecordsapp.softr.io/collection?recordid=123456789

If the user were to share this URL with another user (which they will, to their knowledge it’s the link to their collection of vinyl records, and of course they want to share this with others and show it off), and user 2 clicks it and then repeats the above step 3, then user 2 is appending vinyl records from their collection to the listening session of user 1 instead of to their own listening session.

Record IDs are basically passwords, and if they get shared there’s no stopping a situation like this from happening.

If you know what you are doing, you could flood another Softr app with unwanted changes or records and possibly exceed their Airtable plan record limit. Think denial of service attack (DoS).

If you’re aware of a way to prevent this from happening that I’m clearly not aware of, please do tell. I’d love to improve the security of my app.

I love Softr, and this is probably a fringe case (the nature of it being a Collection page that’s naturally sharable increases this a bit though), but I want my app users to have the best experience possible and I would hate to receive complaints because this inadvertently happened.

Hoping that someone can point me in the right direction on how to prevent this, or Softr can fix it.

P.S. - I hit a brick wall in the development of my app recently when I realized that drop down menus can’t dynamically display only a user’s linked records, then I realized step 2 in the above scenario is a workaround to fix this - very exciting! But also, it’s a security issue, lol.

Hi @rrthegefsrht, we have an option of using user groups on the action buttons which will allow specific users to see that buttons and to be able to edit/update the existing data in your data source. The feature is called “Action permissions”, I showed it in the attached screenshot:

Screenshot 2023-08-09 at 19.24.35850×1530 71.3 KB

This wouldn’t solve the problem though.

Both users are users of the app, and can perform the same actions.

The issue is that user 2 has the Record ID of user 1, and can perform actions on the Record ID of user 1.

Hi,

You could use visibility conditions on action buttons, that would solve the problem?

@matthieu_chateau how so?

In this scenario, both people are users of the app. They would and should have access to the same buttons. All things are equal, the security concern arises when user 1 shares a URL that contains their Record ID in a parameter with user 2.

The issue isn’t button visibility, its that Softr doesn’t currently have functionality that prevents a user from using a button where that button is using a URL parameter that is linked to a different user.

How sure are you about this?
Don’t worry, I exactly know what you want to do.
I will try to come back to you tomorrow with something. Overall Softr & Airtable setup are also to be considered but this is clearly not a security issue coming from Softr, much more of an overall app design concern.

Just a precision to be sure as I can’t visualize it: what is shared is an item (list details block) or a list block (multiple items)?

@matthieu_chateau the URL to the Collection page, which contains a list block with multiple items.

Also, how is your base set up in Airtable?
For this specific use case, the tables involved are a users table + a vinyl records table? Nothing more?

So I made an app framework to show you how it could be.
I made the user experience a bit more restrictive concerning the url share.

Here are two magic links for two users (User A / User B). You can switch to one or another user in your browser (the last clicked magic link becomes the loggedin users in all your browser tabs if you do a page refresh).

You can take the shareable list url of a user (let’s say User A), becomes another user (User B) and copy paste the shareable list url of User A while being user B.

User A: https://test-play-2.softr.app/magic-authentication?magic-token=d81c9c0bfdaa40b09725cfd4ded38f9c

User B: https://test-play-2.softr.app/magic-authentication?magic-token=6a043a6d8e464bbdbbff250131a4b07c

Tell me if this sounds right so I can show everything about the setup.
All relies on a junction table made of temporary records + An Airtable automation.

Though I will be able to make it more simple by adding some javascript in Softr, will try it out tomorrow.