Help

API data leak even using proxies?

1025 3
cancel
Showing results for 
Search instead for 
Did you mean: 
UWS_services
4 - Data Explorer
4 - Data Explorer

Hello, I’m actually using proxies to GET/POST information into Airtable from a mobile app.

Proxies use the “&field” filter, so the GET response only contains a limited number of fields in the response. This is the approach I have seen suggested around the forum to return a limited number of fields.

It comes to my surprise, that if “?id=record_id” is added to a proxied endpoint, no matter what “field” filters are included in the proxy internals they are bypassed and all fields from the record are returned.

With all the fields returned, there are dozens of linked records from other tables. It comes again, to my surprise, that, if any of the linked record id’s from other tables are appended to the proxied url ?id=linked_record_id, then the linked record is fully returned (with all its fields).

This creates a huge security issue on my app if exploited and I have seen no documentation, comments or security practices about it anywhere or ways to solve this situation. Any clue? Is anyone having the same problem?

As a live example:

  • GET https://proxied_url?filterByFormula=recordid=example_recordid

Returns only the filtered fields I set up in the proxy from that example record id.

  • GET https://proxied_url

Returns filtered fields and all the records from the table.

But things go weird if I retrieve:

  • https://proxied_url?id=example_recordid

OR

  • https://proxied_url?filterByFormula=recordid=example_recordid&id=example_recordid

Which returns the full record, even I would add the filterByFormula inside the proxy.
To make it worse, if I point a linked link record:

  • https://proxied_url?filterByFormula=recordid=example_recordid&id=linked_recordid

It returns full data from the record id from another table.

Finally since that linked record, has, at the same time dozens of linked records from several orders, I can easily get full records of each order that has been created from that product.

Basically the worse nightmare if I would be trying to protect my customers data.

The question is…how do you guys solve this mess? can you point me to somewhere where I can get some rational explanation about this and how to avoid it?

3 Replies 3
DamianFrancis
4 - Data Explorer
4 - Data Explorer

It sounds like your current setup might have some vulnerabilities that are allowing these leaks. Have you considered reaching out to Airtable support or exploring advanced proxy settings that offer more granular control over data requests and responses?

SarahiDyer
4 - Data Explorer
4 - Data Explorer

Just read your post about the API data leak issue you're facing, even when using proxies. That's quite a head-scratcher, especially with the unexpected behavior when appending record IDs to proxied URLs. It's concerning that the internal field filters in the proxy are being bypassed, leading to potential security risks.It's crucial to look into more secure and robust proxy configurations. Your situation reminds me of discussions around proxies for instagram. There, many highlighted the importance of choosing proxies that not only manage data requests efficiently but also ensure data security and integrity.

vondes_vondes
4 - Data Explorer
4 - Data Explorer

Reach out to Airtable support directly. They may be able to provide insights into the issue and offer guidance or solutions. As a paid service, they usually have support channels for addressing user concerns. Ensure that you are using the latest version of the Airtable API. Sometimes, issues are addressed in newer releases, so updating your integration to the latest version might resolve the problem. But still, buy proxies is sometimes necessary, banally because of country bans. Check Airtable's official documentation for any updates or changes to the API that might be relevant to your situation. Look for sections on security best practices or any changes to how linked records are accessed.