Using profile in create mode with dedupe rule allows for leaking of private information
Overview
An anonymous user filling in a profile who leaves fields blank in create mode with deduping enabled will be shown the existing values for those fields if a duplicate is found. So if you have an unsupervised dedupe rule of email only, then anyone can enter a contact's email and leave the remaining fields blank. They will shown existing data for that contact for fields that appear on the profile. This creates the potential to leak private information to anyone who knows minimal information about a contact and potentially could be used maliciously to expose data.
Reproduction steps
- Create a profile that includes the fields in the your unsupervised dedupe rule, plus any other fields desired.
- Use the profile in create mode anonymously, filling in only the fields required to match to an existing contact and leaving the other fields empty.
- After submitting the profile, you are shown all the data for the fields left blank for that existing contact.
Current behaviour
Profile fields that are submitted blank are shown with existing data on the profile confirmation screen.
Additionally, the confirmation page URL contains both the contact id and checksum for the matched contact, which could be used to access other profiles or forms, exposing additional data.
Expected behaviour
All profile fields should be shown exactly as submitted on the profile confirmation screen.
The confirmation page URL should not show the contact id and checksum for the matched contact.
Comments
Have marked this confidential, since there is a potential for malicious use.