Over recent years, No-Code development platforms have surged in popularity, democratizing the process of app and website creation. Bubble.io stands at the forefront of this movement, recognized for its user-friendly interface and diverse range of features.
However, an unprecedented event recently shook the Bubble.io community - a significant data breach of an application built on the platform. For the first time, a Bubble.io-created app was publicly embroiled in a data privacy scandal, as sensitive user information was leaked online and widely disseminated via Twitter. The incident drew significant attention, even receiving coverage on national French television channels. This marked the first major public scandal related to Bubble.io security and its data privacy measures.
In a revealing communication, Stéphane, CEO of Droite au Coeur, lamented:
X the firm that developed the site, gave us confidence initially and assured us about security […] However, this did not happen, and the follow-up was deplorable.
As translated from French, Stéphane highlighted the distress caused by the circumstances.
In this article, we will delve into the specifics of the breach, the subsequent resolution, the responsibility attributions, and the far-reaching implications of this event.
On July 29, 2023, Mathis Hammel, a Twitter user, posted a shocking tweet. He pointedly asked the team behind the dating site, @CoeurDroite, to prioritize cybersecurity, revealing that their entire personal database was prone to a breach. Hammel exposed the vulnerability of the platform, which included critical details such as marital status, sexual orientation, and email addresses.
Hello @CoeurDroite , would it be a good idea to take an interest in cybersecurity?
It’s possible to leak the entire personal database of your dating site in a few seconds: marital status, sexual orientation, email address…
The compromised app, Droite au Coeur, is a dating site for French patriots, often associated with far-right political affiliations. This ideological leaning likely made it an attractive target.
Hammel elaborated on the nature of the breach in subsequent tweets, highlighting the surprising ease with which he discovered the flaw - simply by pressing F12. The main issue was the lax privacy rules that left the app’s database exposed and easily accessible via any browser’s Debug Tools for those with fundamental knowledge.
In the aftermath, Hammel and other Twitter users humorously contrasted the reality of this breach - its startling simplicity - with the imagined complexities of hacking.
How people imagine piracy vs. what really happened
Initially, the data leak seemed to comprise mainly user details intended to be publicly accessible via the app (like sexual orientation, and marital status). However, given the political bent of the website, the leak potentially placed users at risk of ideologically driven targeting. A simple script could facilitate the export of the entire database, including the list of users.
As the extent of the breach became clear, it emerged that other, non-public data had also been compromised. This included email addresses and, most concerning, precise geocoordinates and postal addresses without any obfuscation.
In terms of cybersecurity, we discovered that users were inadvertently providing their full address in response to a prompt for their postal code.
Given the political nature of the app, the leaked data put its users at high risk of harassment and privacy infringement. Furthermore, the data breach violated several regulations, including European GDPR laws and French data privacy laws, potentially leading to legal repercussions for the app.
The tweet quickly went viral, garnering almost six million views - likely due to the political implications of the breach. As Twitter users engaged with the original tweet, the incident gained traction in tech media and eventually caught the attention of national TV channels.
“Droite au cœur, dating site for “patriots”, was leaking its user’s data”
Extract from the main French TV channel BFMTV.
As the news spread, the app faced an unprecedented surge in traffic and fake profile sign-ups. The team was forced to temporarily shut down the website for maintenance and issue resolution, to safeguard their users.
The fallout continued, with a significant blow to the platform’s reputation as many existing users opted to delete their accounts over concerns about their personal data’s security.
This incident marks a watershed moment in both the Bubble and broader No-Code ecosystems. The first major public security scandal involving a Bubble-built app, it’s likely to significantly influence future cybersecurity measures within the Bubble.io platform.
In every event where risk is involved, it is customary to find someone to hold accountable. The app in question was designed by a French Bubble.io agency, and the critical question now is - who should shoulder the blame for the data leak?
Is it Droite au Coeur, the app’s creators, or is the onus on the French agency that developed the app, or perhaps, Mathis Hammel, the hacker? The resolution to this question is rather complex
Several individuals, including well-known white-hat hackers, took to Twitter to question the ethics of Mathis Hammel’s methods and his decision to publicly reveal the leak.
Not very ethical to publicly expose a flaw that can impact many users…
The choice to expose such a vulnerability publicly raises ethical concerns as it could potentially endanger many users and erode the trust in the business.
Indeed, the public disclosure of such breaches can impact not only the business’s reputation but also put in danger its users who bear no responsibility for the incident. On the flip side, it helps highlight the possibility of a security breach, making users aware of their data’s vulnerability.
We encountered a similar quandary when launching our Free Privacy Rules Checker for Bubble apps.
The optimal strategy when discovering such a vulnerability is to inform the application’s owners to rectify the issue. The European Commission also provides guidelines for dealing with data leaks if the application owners fail to respond that can be found here: EU Commission data breach guidelines.
Going public with the leak is a matter of personal choice, provided that the breach has been rectified and is no longer exploitable.
However, in this particular incident, we take issue with the hacker’s approach since he chose to leak the data merely to create a buzz on Twitter and for political motivations, without waiting for the vulnerabilities to be resolved. This decision has put Droite au Coeur’s entire user base at risk.
Significantly, the app was not developed in-house but was outsourced to a French Bubble.io agency.
Droite au Coeur’s CEO expressed his frustration with the process, stating, “The structure that was in charge of site development did their best, but the original framework established by [the developer] was catastrophic, illegible, and incomprehensible.”
The agency ranks among the top 20 French Bubble agencies, but we won’t disclose its name since it has not yet been made public.
Our research, conducted earlier this year regarding the ecosystem’s security, aligns with this. We found that 89% of the Top 100 apps displayed at least one critical security vulnerability. We also determined that around 65% of apps developed by Bubble agencies had vulnerabilities. (Read our 2023 report: A Comprehensive Overview of the Security of the Top 100 Apps Made on Bubble.io)
This data supports the notion that many agencies lag in ensuring the security of the apps they produce, and this appears to be the first public example.
Part of apps with sensitive data leaks from the Top 100 Bubble.io apps. Data that could not be identified as either sensitive or secure is referred to as “Unknown”.
Easily, the agency could be held accountable for the oversight and the security breach. However, the reality is more complex.
Like most agencies, once the application is finalized and released, it is handed over to the clients, granting them full control. As a majority of agency clients lack technical expertise, they can easily make errors or change Privacy Rules settings, which was the culprit in this instance. The misnomer ‘no-code’ often misleads clients into believing they can make changes effortlessly after the app development has concluded.
Furthermore, tracing the changes made to an application to identify who altered a specific setting can be quite a challenge.
The incident’s repercussions on the agency’s reputation remain uncertain since their name has not been publicly associated with the event.
“At the moment, we do not plan to file legal attacks or lawsuits against [the Bubble agency],” as Stéphane informed, indicating a forward-focused response from the company.
Strangely enough, neither the Twitter feed nor the TV broadcasts mentioned that the app was developed on Bubble.io or No-code, possibly because the political aspect overshadowed it.
The obvious next target for blame is Bubble itself. How could such a data leak occur on Bubble?
The answer to this isn’t straightforward. Bubble.io is a robust platform with stringent data security measures. However, its accessibility and user-friendly interface attract an audience that may lack in-depth cybersecurity knowledge and an understanding of current data privacy regulations, which could potentially pose risks for end-users.
This issue is further exacerbated by inadequate information on security practices and a scarcity of public reports on previous or known vulnerabilities (this incident being the first).
Ultimately, Bubble provides the necessary tools to secure an app, but the responsibility falls on the developers (both agencies and individuals) to research, learn, and implement these tools to ensure application security.
Recently, tools from third parties have surfaced to simplify the security process for your Bubble.io app. Despite our acute awareness of security, human error is always a potential threat. Tools like Flusk Vault (our offering) or NcScale assist in identifying and rectifying security vulnerabilities in your Bubble app.
In what appears to be an unprecedented occurrence, this event signals the first of potentially many more to come.
It’s essential to contextualize this event within the backdrop of the meteoric rise of no-code tools, specifically Bubble.io. With an increasing number of applications being developed via Bubble.io, it’s inevitable that more applications will contain security vulnerabilities. Therefore, we need to maintain a relentless focus on privacy and data security to preserve the ecosystem’s security and credibility.
Delving into the broader context, this incident serves as a potent reminder of the escalating security concerns surrounding no-code platforms. As more novices venture into app development through these platforms, the probability of inadvertent security lapses soars, creating a ripe environment for cyber threats. The hacker landscape is also becoming more complex and dangerous in the no-code space, with skilled hackers identifying and exploiting these vulnerabilities for their gain.
Growth curve of the number of apps running on Bubble.io between 2013 and 2022. Source BuiltWith.
We have confirmed that Droite au Coeur has taken the necessary steps to rectify the security vulnerabilities, thereby safeguarding their users from now on. An intriguing question in the aftermath of such incidents is whether a company can recuperate trust following a security breach?
History provides a mixed bag of examples. Some companies, such as Adobe, have managed to bounce back stronger after a data breach by implementing robust security measures and demonstrating their commitment to user data protection. However, others struggle to regain consumer confidence and suffer reputational damage. Much depends on how the company responds to the breach and communicates with its users.
Time will tell which trajectory Droite au Coeur will follow.
Read the full article on our blog.
Wes & Victor from Flusk