#SOLVED, partially. We realized that it was partly due to a vulnerability in some tables, which we are working to resolve.
I would like to thank everyone who made several important points for their attention.
Mainly to @chris.williamson1996
//////// From here on it was not edited.
My Bubble database was INVADED, where the person managed to get any data they wanted. Mainly my clients’ EMAIL and PASSWORD.
Below I will put the print of the conversation on WhatsApp where she gave me this information and told me, in part, how she achieved this.
How can Bubble’s DB be insecure like this?
I’m already working to migrate my DB and backend to Xano and Supabase, to avoid these types of risks.
I want to know what the Bubble company is going to do about this!
This print below shows when the person spoke to me:
Oh dear. This thread is going to get a lot of comments - but let me be first and kind about it.
Without something called privacy rules that you control and manage (not Bubble) your Bubble data is typically and can be public. Read this carefully before freaking out even more Protecting data with privacy rules | Bubble Docs
Also google Flusk.eu - for tools to let you do your own application penetration tests.
Having said all of that though - they claim to also have got the password … so this doesn’t seem like privacy rules issue to me but I won’t speculate Contact support@bubble.io and look for advice from them.
Someone with more knowledge might be able to comment more specifics on this, but I am curious if you tried the Email and Password combinations to see if they worked for logging in?
I am starting with the assumption it’s not that easy to pull out passwords from Bubble, so I am thinking they may have found the User Emails due to weak privacy rules and then are claiming to know passwords since you cannot view them in the database to scare you. Then they will ask for money (the pen test).
If those are legitimate passwords for those email addresses, are those email addresses legitimate users or were they created by the individual themself? (So then they obviously know the passwords)
If both the Users and Passwords are legitimate then I would contact Bubble directly
Exactly what I am thinking. I think they may have got those user credentials from another source. And they are spoofing you with teh data to get your worried and then charge you $1500 to “solve” the problem.
Privacy rules are defined in the system for the user table. Now which privacy rule gives access to users’ passwords? Because whoever broke into the system to show the vulnerabilities gave us the users’ email and PASSWORD, which I validated by entering the account with that email and password and it worked, to my surprise.
Another thing to check is if you these passwords are things a user would’ve created (ex: cats123) or if they are something that look generated.
If generated then do you have backend workflows with exposed password reset flows exposing tokens anywhere.
Bubble does hold very strong compliance, to dump your database which is all encrypted at rest on bubbles side then to brute force through it all would require an absurd amount of time unless you’re app is very large scale it’s incredibly unlikely.
My assumption is the passwords is some form of smoke and mirrors to convince OR your app has a vulnerability due to your own development either in backend that’s set to ignore privacy rules, bad data practice like storing passwords, or privacy rules that were not setup correctly.
Yeah… that definitely looks like scam message (they’re fairly common)
And whilst, if your privacy rules are not up to much, it’s possible for data like email addresses to be found in your database, user’s raw passwords are not stored in the database at all (unless you’re manually storing them) - rather a hashed version of them is, so it should be virtually impossible for the original password to be extracted.
So, if they genuinely do have your User’s passwords, it’s highly unlikely they’re getting them from your database.
If I were you I’d change those 6 User’s passwords, then ask this guy to send you the passwords again for the same 6 Users, to prove what he’s saying.
If they can send you the newly changed passwords, then you know they must be able to extract them from your database (virtually impossible).
If not then you’ll know they’re talking nonsense (which would be my guess), at the very least in terms of how they’re accessing the passwords. My guess would be that you won’t hear back from them at all.
Although it would be very interesting (and worrying) if they were able to provide them.
Another possibility is that those users have the same password on another website which has been leaked. Perhaps try running them through a password leak checker such as https://haveibeenpwned.com/, and if you get the passwords, its likely he just took them from that site instead of your database.
Hello. This was the only privacy rule that was weak. The others in the User table are all defined by access level and a User can only search for other users who are in the same company.
thank you all for jumping into this issue and trying to help. Awesome to see.
@cotadorsimplificado maybe the users are reusing passwords that were compromised elsewhere? It’s very hard to know without troubleshooting and investigating your app. Like Lindsey said above, you should connect with support and they can look into all of this with you
Edit: the amount of info they were willing to share via whatsapp along with how generic it is really screams scam here
If you don’t store passwords in a text field, the accounts were created by the same user, and you’ll know that because they were created at similar times.
The amount of ‘weak cipher’ spam emails I get is a huge pain in the ass but scams like this are all over. All they do is look for sites built with a certain tool (e.g Bubble) then contact the admin.
Serious researchers certainly don’t disclose by WhatsApp!