How can I protect my app’s user profiles?

A random person online has downloaded my full user database right after receiving access to my app.

He sent me the list of my users in a txt file - I was literally shocked.

Thank God it doesn’t seem to appear “ransomware” but more of a lead gen tactic - he wants to sell me cyber security services.

After a bit of research and chatting with a technical friend, he told me that he might have performed UserEnum tactics to reverse engineer all my sign-ups. He has also told me that this issue could be solved by applying a patch.

I understand that Wordpress is vulnerable to UserEnum by default (unless you apply some plugins), however this shouldn’t happen.

@Glide Team - I have the exact string that the hacker used to download the list. Please let me know if you need it and please let’s fix this key vulnerability.

5 Likes

So he got access to all the database?

That’s bad.

Were you using any of the security measures that the Glide team has developed to protect the database???

3 Likes

Yes, the full list of registered users - their emails, basically.

What security measures?

Shouldn’t protecting our database a default measure?

I cannot locate any except from anonymising email addresses. And I’m not sure this would work for me and my users.

There are plugins for Wordpress to avoid UserEnum.

@maschera Row Owners - Glide Library

Support@glideapps.com

2 Likes

Please use Row Owners to protect which rows can be downloaded, including your user profiles.

Can you forward us the information you were sent, so we can review it?

1 Like

Thanks Jason.

I have enabled this, although I’m not sure it solves my issue.

More info

https://docs.glideapps.com/all/guides/security-center

Ok - I have just sent it you via chat.

Aw man, that’s freaky. Hope you were using virtual email addresses!