Was my app DB hacked?

Now that he’s removed his appID and working at securing I’ll share a bit more info.

After a quick audit of his app we could see what data was leaked. There were no passwords leaked however quite a few other details.

He was 100% correct his users data was protected however he had other data types that stored sensitive user information in plain text instead of a user object. (little things like this commonly get overlooked) I’ll just use email as the example however there were a few other fields.

His dataAPI was also open as well as swagger docs this allowed me to retrieve a large amount of data and use constraints with the data API to find a few of the emails he posted a screenshot of earlier in the thread.

Ran those through a db tool and confirmed that the emails have been exposed in multiple database leaks. Then confirmed it with a larger database check that doesn’t give details. https://haveibeenpwned.com/

Many times bad actors use automated tools to check multiple thousands+ of websites then go with a more manual approach when they find vulnerabilities. Which is why it’s so important to make sure privacy rules are setup, data api is only exposing what is needed, backend workflows are secure, swagger isn’t exposed, sensitive data isn’t stored in app text or option sets, etc.

The odds of bubble itself actually having a whole leak is slim to none bc of how they encrypt data. If a leak does happen all the bad actor will get is a bunch of encrypted data that will need to be brute forced. To do something of that scale would take an insane amount of resources and still not be very effective.

@georgecollier has a great thread on some of the basic info most people don’t know is exposed by default in your bubble app.

@petter has a great book on bubble app security

@flusk is the best public tool to test your apps and does the best job at making it so less technical people can understand however some understanding of your app and what should/shouldn’t be public will still be needed.

Lastly, I personally offer full audits for security, scalability, and overall app speed.

27 Likes