Summary: Bubble.io, a popular no-code development platform, has been discovered to have a significant security vulnerability that enables attackers to bypass restrictions and access sensitive data stored in its Elasticsearch database. This vulnerability stems from improper handling of encryption techniques and shared secrets, putting countless applications at risk of mass data leakage. Despite responsible disclosure by researchers, Bubble.io has not implemented a fix, leaving users exposed to exploitation.
Affected: Bubble.io
Keypoints :
- Researchers found that fixed Initialization Vectors (IVs) used in encryption allow attackers to decrypt payloads.
- The vulnerability enables arbitrary queries that can access all user data and custom tables.
- Bubble.ioโs shared hosting environment allows cross-tenant attacks, increasing the risk for multiple applications.
- No corrective action has been taken by Bubble.io despite being notified of the vulnerability.