Companies using Bubble, a low-code platform, have been found to forget to hide their Swagger documentation access, opening up the opportunity for a man-in-the-middle attack.
Accessing the Swagger documentation at /api/1.1/meta allows hackers to add, edit, delete, and create data without user authorization, as well as impersonate users.
Certain endpoints in Bubble's API do not require access tokens or credentials, exposing sensitive information such as property views and search appearances.
The responsibility for securing apps built on low-code platforms like Bubble lies with the developers, who need to implement proper security protocols.