Bubble.io Security Tip #1: Temporary Password Vulnerability
Also available in :
In the ever-evolving world of no-code platforms, Bubble.io stands out as a leader. However, like any platform, it's essential to be aware of potential security pitfalls. One such vulnerability revolves around the assignment of temporary passwords.
The Issue at Hand
Assigning a temporary password in Bubble.io can be a security risk if done in the front end. The typical workflow involves querying users by email, assigning a temporary password, and then notifying the user of this new password via email. While this may seem straightforward, the problem arises when this action is executed on the front end.
By simply using the Chrome inspector and filtering for XHR requests, one can easily retrieve the randomly assigned password without even being logged in. This poses a significant risk, especially if someone attempts to reset an admin account's password, granting them access to private dashboards or admin pages.
The Solution
The golden rule? Anything related to authentication, passwords, or security should be executed on the back end of your application. Here's how to make the process secure:
- Enable Backend Workflows: Navigate to settings, then API, and check the box to enable workflow API and back-end workflow.
- Create a Backend Workflow: Name it something like "assign_temp_password". Ensure it's not exposed as a public API workflow since it will only be triggered internally.
- Replicate the Frontend Workflow: Assign a temporary password to a user by searching for the user with the provided email. Then, send an email to the user with the new password. This process is now secure as no one can access the result of the action running in the backend.
By following these steps, you can ensure that your Bubble.io application remains secure from potential temporary password vulnerabilities.
Stay tuned for more security tips and insights from Flusk, your trusted partner in automated security audits and constant monitoring for Bubble.io apps.
