As many of you are aware that we have had issues with availability of machforms and other sites on our apps01 service recently. You may have also noticed that machforms that were previously, and necessarily, available to the public are now behind Passport York logins.
An apparent machform vulnerability in their file upload has been exploited leading to a great number of inappropriate files being loaded onto our servers. The links to these files have subsequently been propagated into the wild and our servers have been inundated with requests for them.
As a result, we have had to completely block external access to a few machform sites that were hit the hardest and restrict access via PPY to the rest to avoid further exploitation. We understand the terrible inconvenience this causes but there was not a good alternative. We have been suggesting that moving active public forms to another platform such as Gravity Forms or MS Forms may be necessary as we sort this out.
This attack is an important reminder that all website owners MUST follow best practice regarding the forms on your website. Currently forms without anti-spam protections are highly vulnerable, which can lead to several issues:
- Excessive Spam Submissions – Bots can flood forms with irrelevant or malicious content, overwhelming servers and inboxes and making it harder to process legitimate requests.
- Reputation & Security Risks – Spam submissions may contain harmful links or inappropriate content, potentially damaging the credibility of York University’s online presence.
- Resource Drain – Staff time is wasted filtering out illegitimate entries, reducing efficiency and slowing down response times to genuine requests.
- System Strain – High volumes of automated submissions can put unnecessary load on servers and databases, impacting overall website performance.
Equally important in our data security is the type of documents uploaded.
We put our users and ourselves at risk by requesting upload of sensitive documents such as passports, drivers, licences, birth certificates, medical documents, etc. Machform, in particular, does not load or store documents securely so we cannot use it for these types of sensitive and personally identifying documents.
To mitigate these risks, it is strongly recommended to implement anti-spam parameters such as:
- A skill testing question on the form (with exact match)
- Rate limiting or submission throttling
- Basic input validation and filtering
These measures not only protect your forms but also ensure a better user experience for prospective and current students, faculty and staff, and external partners who rely on York University websites for accurate and timely communication.
Here are some steps you can do to reduce harmful docs being added to our servers:
- Delete old forms - many forms are still digitally available even after they have expired. If your form is no longer relevant, please delete it so digital bots cannot crawl and find it.
- Decommissioning unused form sites – please let UIT know if a machform site is no longer needed so that it can be decommissioned completely.
- Review submissions and delete harmful docs uploaded – review your form submissions and delete any submissions that have harmful (this is common for PDFs)
- File Upload restrictions - If you have a file upload make sure anti-spam parameters are added to the form as these can be added to our server from external sources
If you would like support in reviewing or updating your forms, please don’t hesitate to reach out to best safeguard York University’s digital environment.