I need to shut down one of my apps as it has been hacked! This is urgent!
Thanks!
create blank index page
temporarily redirect the domain
1 Like
@canadianapps How can I do that?
I believe you use Cloudflare, right?
here is how to forward:
I am using DreamHost. I will look into forwarding the domain. I am not sure how that will work but willing to try anything at this point.
What is happening is that someone, for some reason, got access to my users and is charging their CC to my Stripe account, which does not make sense, but is a huge inconvenience for my users when they see unusual charges on their CC.
I donāt understand why Bubble does not have stronger security. I am using their Stripe plugin.
Iām sorry to hear that.
Here is the link to Dreamhost on how to forward:
https://help.dreamhost.com/hc/en-us/articles/215455377-Redirect-a-domain
For some reason the āhackerā got access to your admin account. Make sure you are not exposing the user database via api and/or doing the proper verification for admin users.
Maybe add another layer for safety such as restricting admin on specific Ips/ sms code verification etc
For now, logout the admin user and change itās password. Block access to the admin section as well.
Talk to bubble support and check bubble docs on how to secure your account.
1 Like
You should revoke the API key in Stripe, and donāt add a new one until you worked out where the leak is coming from. Screenshot your Stripe plugin(s)/API calls to Stripe, and someone here will be able to tell you (though cross out the key, even though revoked, to be safe)
@georgecollier I deleted all API keys and rotated the Secret and Publishable keys. I will wait until early next week to see what else could be happening. I have been in contact with Stripe for the last couple of days, and they are looking into this as well. Stripe was able to identify that this malicious intent was through the API
Thanks so much!
@canadianapps Thanks so much; I will get this done as soon as possible.
Kind regards
1 Like
@canadianapps I just changed the password to my Bubble account and logged out from all devices. Do you know how I can block access to the Admin Section?
Thanks again
try adding a condition when page loads and maybe even every 5 seconds redirect the user to another page. Maybe there are better ways but I would start with that
@canadianapps OK, I have done that on many of my apps. If thereās another way to block access to my Bubble account, that would be key.
I will get in touch with Bubble Support. Iāve reached out to them and have not heard back. Frustrating to say the least.
Thanks again, I really appreciate all your help. I will post updates here that can help other users.
If youāve revoked the Stripe key, thereās nothing they can do to interact with Stripe via your Bubble app.
@georgecollier Thanks muchā¦ Now I need to figure out where the leak is coming from. I am speaking with Stripe to see if they can figure it out as well. Will post an update.
Thanks again
see the above message
@georgecollier if you donāt mind, can you please walk me through setting up email confirmation when someone signs up to one of my apps? How do I set this up?
Thanks a million
@georgecollier also 2FA set up
Thanks
Hello, I didnāt know you can be hacked in a Bubble project except for bad Privacy rules. How did this happen? Thanks
@agence.webinti I have no idea how this happened, and I am in the process of getting to the bottom of it. I will post updates here so other users can learn from them.
Stay tunedā¦