Cyber Security News

Bubble.io 0-Day Flaw Lets Attackers Run Arbitrary Queries on Elasticsearch

A vulnerability in Bubble.io, a leading no-code development platform, has exposed thousands of applications to data breaches.

The flaw allows attackers to bypass security controls and execute arbitrary queries on Elasticsearch databases, potentially compromising sensitive user information.

Security researchers reverse-engineered Bubble.io’s JavaScript code and HTTP headers to uncover flaws in how the platform encrypts and handles Elasticsearch queries.

The weakness stems from insecure cryptographic practices and hardcoded parameters that could be exploited to decrypt and manipulate search requests.

Key components of the exploit include:

  • Elasticsearch: Used by Bubble.io to power application searches.
  • AES-CBC + PBKDF2_HMAC: Encryption methods protecting queries, but implemented with reusable, predictable values.

How the Exploit Works

Payload Structure

Bubble.io’s encrypted payload comprises three parts:

  1. y: A Base64-encoded timestamp.
  2. x: A Base64-encoded initialization vector (IV).
  3. z: The encrypted query, derived using the app’s name (from the X-Bubble-Appname header) and hardcoded IVs (po9 and fl1).

Decryption Process

Attackers can decrypt the payload by:

  1. Extracting the app name from HTTP headers.
  2. Using hardcoded IVs shared across all Bubble apps.
  3. Applying AES decryption to reveal the raw Elasticsearch query.

Once decrypted, malicious actors can modify queries to bypass restrictions, such as limits on returned results or allowed comparison operators.

Exploit Demonstration

Researchers demonstrated how a benign query for a single user’s email:

{"query": {"term": {"email": "user@example.com"}}, "size": 1} 

Could be altered to retrieve all user data:

{"query": {"match_all": {}}, "size": 10000} 

This manipulation exposes sensitive fields like emails, hashed passwords, and payment details.

Impact and Risks

The vulnerability enables attackers to:

  • Extract entire databases via Elasticsearch.
  • Bypass security controls like query sanitization.
  • Target any Bubble.io app using default configurations.

While Bubble.io has not yet released an official patch, researchers urge developers to:

  1. Audit Elasticsearch query configurations.
  2. Rotate API keys and sensitive data.
  3. Monitor logs for unusual search activity.

This flaw highlights the hidden risks of no-code platforms, which often abstract away critical security considerations.

While Bubble.io democratizes app development, its opaque infrastructure can create blind spots for developers.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

New Hannibal Stealer Uses Stealth and Obfuscation to Evade Detection

A newly identified piece of malware, dubbed the "Hannibal Stealer," has emerged as a significant…

1 second ago

Chinese APT Hackers Target Organizations Using Korplug Loaders and Malicious USB Drives

Advanced persistent threat (APT) groups with ties to China have become persistent players in the…

8 minutes ago

Cache Timing Techniques Used to Bypass Windows 11 KASLR and Reveal Kernel Base

Cache timing side-channel attacks have been used to circumvent Kernel Address Space Layout Randomization (KASLR)…

30 minutes ago

Hackers Exploit AutoIT Scripts to Deploy Malware Targeting Windows Systems

Cybersecurity researchers have unearthed a sophisticated attack leveraging AutoIT, a long-standing scripting language known for…

2 hours ago

New Report Finds 67% of Organizations Experienced Cyber Attacks in the Last Year

A disturbing 67% of businesses in eight worldwide markets—the US, UK, Spain, the Netherlands, Germany,…

3 hours ago

Auth0-PHP Vulnerability Enables Unauthorized Access for Attackers

Critical security vulnerability has been discovered in the Auth0-PHP SDK that could potentially allow unauthorized…

4 hours ago