Security Problem In FORMS view
Arman Vali
Form URL is accessible without log-in (which is a super great feature) but at the same time it means anyone can brute force date into our system.
Few Ideas to Improve Security of Forms:
- Optional Captcha Section in Forms
- Daily/Weekly/Monthly Entry Volume Limit or Total Entry limit. Optional field on the sidebar setting section which members can enter and if people enter that URL after reaching that specified volume, an Error appears which indicates limit is reached
- Alert System to notify members if some scenario has happend.
and some background Security systems like IP ban when anything suspicious happend.
Form view is Awesome and we are using it for generating Leads, Getting application for our HR and many other applications. and with Security improvements it will be much safer to use it in our public channels.
Best
Arman
Log In
Craig Wallace
Just like Google Suite, we need the ability to choose to 'Only allow users in our ClickUp workspace' to be able to submit forms. This is a basic security requirement, especially considering the People field can reveal the names of all users in the workspace.
Kristen Connolly
Same with attachments! We just discovered that all attachments in ClickUp are public--facing, (e.g. when they are an attachment to an email to a support@ address that becomes a ClickUp Task, or when you email out from within a Task and someone replies and includes an attachment). Because it is really relevant to how our team hopes to use threaded emails, I wanted to share it with the folks on this Feature Request. See https://clickup.canny.io/feature-requests/p/dont-make-attachments-available-externally-via-url-unless-specifically-set for more info, in case you also find it relevant.
Shaquille Payne
Merged in a post:
Security risk for Clickup FORMS
Dushan Nedelkovich
After speaking to Clickup support, it would seem that
anyone with the link
can submit and spam Clickup forms, and overwhelm our existing internal Clickup boards. My question was about restricting access to forms only for logged in Clickup users, membvers of our space, but I was told that "anyone with the link can submit".
Please consider the usecase where a random person gets this link, and spams 200,000 form submissions, while rotating their IPs, or gets insight into confidential biz-inteligence based on the way forms questions are asked, or starts uploading attachments (because most of our forms have attachments allowed).
Feature request to add a simple option on forms: "Make this form public, even for non-logged in users? Yes/No"
Thanks for considering this security issue.
Ibrahim Ennafaa
I have the same use case but slightly different. Some users in my company don't have access to ClickUp but still need to access the form.
No one external to our company should access the Form tho for obvious reasons (security, confidentiality, spam risk etc ...)
We should have multiple modes to share the Form:
- Public: anyone on the internet
- Restricted: Allowed IP addresses for the link (+ an option to disable the direct link completely to only allow the embed) / Allowed domains for the embed code
- Private : Only ClickUp users
Zeb this security breach is super concerning. It got flagged by our security department as a serious threat. Do you know if anything is planned around that?
Eric Wightman
Hey Ibrahim Ennafaa! Thanks so much for your feedback! While we aren't currently working on the ability to restrict access of URLs to certain IP addresses, I have brought it up with the team!
I'd also like to note a few other options that could help with your situation:
- One option is to add those individuals who need to access your form as guests on your Workspace. Then create an embed view and add your Form code to that embed view. Finally, invite your employees to that Embed view. This way, someone will need to log in to access that form which would be more secure than sharing the URL with them externally.
- Add the embed code onto a separate site that you fully control, so only those with access to that site (based on IP) can access it.
Ibrahim Ennafaa
Eric Wightman: Thanks Eric. Yes we did that already. But still ... anyone could retrieve the url and spam us or worse.
Eric Wightman
Ibrahim Ennafaa: Definitely! Our team actually spoke in a meeting about some options that would help here today. I don't have a time frame or any specifics that I can provide right now but we do understand the concern and will continue to think of ways to improve Forms!
Arman Vali
any news regarding adding CAPTCHA to the FORM view?
Dushan Nedelkovich
To make things worse - if your employee submits the form while not being logged in (from their phone, tablet, or they simply got logged out) - you will not be able to tell WHO submitted the form/request. There's no way to see who created the card. Quite painful.