Security concern? Someone created and then deleted users on Dev

I have a backend workflow to notify me when a user is created and also to create an associated contact which links back.

This morning while I was sleeping, I received 3 notifications that this workflow ran. When I checked, the users were deleted but the contacts were still there, pointing to a “deleted thing.”

I don’t worry too much about some random person on the internet using my development environment and creating users. But what concerns me is that they somehow were able to delete the users. Is that possible? Can users delete themselves? I haven’t built that functionality into the app anywhere.

Might they have been Temporary Users?..

I was just digging through the logs and it looks like someone was probing the Plaid integration features. I assume a hacker trying to get data. They shouldn’t be able to find any vulnerabilities with Plaid, but what concerns me is that they somehow were able to create and then delete a user.

Do you have workflows in your app that create and delete users, and if so, do those workflows have a condition that checks the status of the current user? (Like to delete a user, the current user has to be marked as an admin?)

Also is your dev version open and public, or is it locked behind a sitewide password? Also I wonder how anyone would find the app?

There is nothing that deletes users anywhere on the entire app.

I do have a user creation flow that uses front-end workflows.

Looking at the logs, it looks like they were also probing my live site too. I’m obviously not going to lock the live site behind a password.

I do have admin users, but again, there’s no flow to delete users, even for an admin.

HI @brenton.strine
Maybe you need to have a look on your privacy rules.

Screenshot 2022-08-11 at 14.23.531991×205 23.2 KB

How did you get that? I don’t see that checkbox in my app.

image1872×436 47.9 KB

You need to go to settings → API tab & check the table…

Screenshot 2022-08-11 at 14.27.541339×365 42 KB

Oh I see. None of my tables are checked in the API. Thanks for thinking of that though.

Weird. I’d take it to bubble support.

My understanding was that to delete data via the app it required a workflow, and you can put a condition on that workflow to ensure that only authorized users (like admins) have deletion rights.

Data can of course be deleted via the data tab in the editor, but I assume you have 2FA on that and it’s secure.

Even just calling up an unprivileged index page will create a temporary unprivileged user…that can be converted to a real user through the sign up process. This can be useful for storing temporary session information server-side. However, we noticed this creates a small DoS risk. In our case we were populating the User’s Slug with a pseudo-random pseudonymous identifier on user creation. This comes with a computational cost on the server-side, especially on repeated calls to landing pages. We now defer that process until completion of user on-boarding.

I came across this forum post while searching and was wondering if you’ve managed to get any clarity on this issue.