Tiny Acquisitions Secure

An ethical hacker alerted Tiny Acquisitions about a potential vulnerability

Tiny Acquisitions Secure

What Happened at Tiny Acquisitions

On January 31, 2023, the Tiny Acquisitions team was alerted via email about a potential vulnerability which allowed someone who had signed up as a Tiny Acquisitions user to be able to access another user's name and email address via API.

We have a feature that allows our users to view the email address of another user that they are in the process of either buying a project from or selling a project to. We didn't want to control the process of exchange if users wanted to take their transactions off platform, so we allowed email sharing with both parties.

Here is what that looks like:

Also, when we started Tiny Acquisitions as a community and marketplace for indie-hackers/makers to sell their tiny projects, we wanted our users to have public profiles which would advertise links to their personal websites and social media profiles as well as advertise the projects that they were personally selling.

Here is an example below:

Tiny Acquisitions Public Profiles

This information is made publicly available as we have permission from our users (when they opt in to our privacy policy) to user their information to execute the services and features we have built into our platform.

Let's say a visitor to the Tiny Acquisitions website wanted to compile a list of public profile details, it wouldn't take much technical effort to do so if they even had a very basic understanding of how web browsers work. This information could even be compiled manually by going on individual users' profiles who had listed projects. This is a known feature at Tiny Acquisitions and something our users have given us permission to do.

With respect to the email sharing feature, we did make an error in engineering the feature which allowed any user who had created an account, who was potentially a bad actor, to programmatically access and view email addresses that they were not directly doing a transaction with. This doesn't mean that our data leaked onto the internet or was accessible to anyone who visited our website. It also doesn't mean that our privacy rules were misconfigured unknowingly. We made an error in judgement about a feature that should've given independence to our users but turned out to be a potential vulnerability. It did mean though that a bad actor could potentially sign up and scrape our website programmatically.

I take full responsibility for that error in judgement in building out the feature in that way.

When alerted on January 31, 2023, we immediately made the change to allow only parties actively involved in a transaction to view each others email address.
Thankfully, we were alerted by someone who is an "ethical hacker" and mentioned being a fan of what we were doing. We can safely say, that outside of this "ethical hacker", we have no evidence that anybody's data has been accessed or released anywhere on the internet for any period of time.

Our "ethical hacker" admitted to intentionally searching for vulnerabilities after creating an account with us. They also admitted to intentionally attempting to hack our application.

Here is the email sent by the "ethical hacker":

Alert from "Ethical Hacker"

Without having a chance to respond, we received another email the next day, February 1, 2023, from the "ethical hacker" that alerted us initially that they realized that the issue had been resolved.  

Tiny Acquisitions Built Securely

Tiny Acquisitions is built on bubble.io, a powerful and secure no-code tool that enables technical and non-technical creators to deploy apps at lightning speed.

It is as robust as any other traditional development framework when it comes to data security as technical best practice is employed.

Though the development framework may influence how a bad actor may gain access to an application, the truth is, it's the intention of the bad actor that results in a hack. In the case of the alert we received about this potential vulnerability, our data was not leaked onto the internet or in a public repository for anybody to access. Our data remains secure.

The alert about the vulnerability was one of a potential bad actor, potentially signing up and intentionally conducting a hack. In this case, it was one solely about intention. As people would say, "remember, guns don't kill people."

We have dealt with this vulnerability and continue to be vigilant to ensure that our platform is secure for our users.

Any site can be targeted, not just those built with no-code solutions. Thankfully, Tiny Acquisitions is built on a number of extensively funded and secure web solutions that protects our users' data from the attack of bad actors.

Data Security at Tiny Acquisitions

We take data security very seriously at Tiny Acquisitions and our priority is to protect every bit of information that should remain private.

We would like to assure our users that their data remains secure and has not been leaked onto the internet.


Stephen Campbell