I have a user or a bot who’s been trying to get into my app using multiple email variations. I have done everything I know to do including a backend workflow, renaming the sign up page, redirecting to a 404 page and having users request access on that page. This villain somehow is still able to sign up. Each time he/she does, I have to delete the sign up manually on the backend. I have tried using all sorts of tools, Google verification, plugins, etc… and nothing is working to stop this.
Has anyone experienced this? and if so how do you deal with this? How is anyone able to sign up where there is no sign up page after being renamed or deleted!
Where is Bubble’s security here or am I missing something?
@kipme001 It all comes down to following best practices in the way you build the app as well as understanding what the different attack vectors are and preemptively putting up safeguards. In addition to Bubbles documentation, there is an excellent resource from AirDev that talks about security best practices that I highly recommend here https://build.airdev.co/wiki/best-practices-on-security-for-bubble-applications?tab=Summary.
In addition to following general best practices, there are specific solutions that can be implemented depending on the type of “attack” or unwanted user behavior you are experiencing. For example, If it is a bot doing the sign ups, you could implement a bot detection solution such as a captcha. If you are sure it is an actual individual person, you could capture their IP address from their browser and then build a workflow on page load that scans the current users IP address against a list of banned IPs you have stored in your DB and when they come to your app and your page loads if there it a match in banned IP then redirect them away from your app (like to google or the FBI website) or to a you are blocked page on your app. You could require email verification for sign ups by sending them a link in the email that is registered that way only real emails can be used., etc. There are many more pointed solutions like this depending on the problem you need to solve. Hope this helps!
PS - If you would like, I would be happy to spend a few minutes with you to look at your app and tell you if I see any gaping security holes. I build Bubble apps for a very large enterprise company we get attacked by hackers constantly and we also go through continuous security and penetration testing so I have a lot of experience securing Bubble apps.
In addition to @michael.ong1 suggestions, also consider what such a user might be trying to gain from their signups. Presumably you have some sort of hint that led you to realising this particular user is malicious? If so, I would add in a bunch of extra monitoring functions (e.g. logging workflow activities to a DB table) to try and understand what they are doing once they log in (don’t bother with browser-based monitoring, it’s too easy to bypass for an actively malicious user).
When developing apps, threat models should be created that look into possible attack vectors and possible mitigations. This should look at different classes of user, entry points, data exfiltration, among many other vectors. I work in the IT security sector as my day job, so I can attest to how critical threat modelling is to try and understand the security risks and mitigation options for your app.
If I was encountering such an attacker, I would be mandating QR codes, email verification, IP address restrictions, request limits and data privacy rules. If such an attacker persisted, I would convert the signup model to an “approval required” model where you (or an administrator) must approve all signups.
