User enumeration | security vulnerabilities at login

Hello Bubble community - has anyone else experienced security issues due to user enumeration at login?
We submitted an app to Salesforce and failed the security review because of Bubble’s login form. When a non user attempts to sign into Bubble a “NO_SUCH_USER” message is served. This creates a security vulnerability where a hacker can pinpoint what usernames do and do not currently exist.
We’ve lost several weeks attempting to resolve with with 2FA and now exploring SSO.
Has anyone else come across this issue and found easy workaround? Does anyone know what Bubble continues to serve NO_SUCH_USER when it’d be as easy to a serve a more generic error message?


Most system messages can be changed. Check language settings and scroll all the way down for those that have codes which are the system ones.

This topic was automatically closed after 70 days. New replies are no longer allowed.