Massive ransomwear vulnerability


Adalo really needs at least 2 factor authentication as an option or to only change developers passwords through an email forgot password function because every developer on this platform is one leaked password away from a hacker logging in as them changing their password then sending an email to the email on file that says “give me $10,000 in bitcoin or you’ll never see your projects again and every day you wait I delete a project”

Are their any developer security features like 2 factor authentication coming in the future?

Rest assured that is not how ransomeware works. Ransomware would need to be installed on Adalos server, something your credentials won’t give them. Then Adalo would be the ones who had to pay to restore your data, not you. Entry level standard (which I cannot attest that Adalo has) is $1,000,000 insurance in case of cyber attack, which is why most attackers set the unlock fee at around $1,000,000USD worth of bitcoin. Obviously higher value targets are asked for more, Adalo would be around the million dollar mark.

Not having MFA is not a vulnerability, it is just poor security practice. Even most MFA is poor security practice, SMS MFA is better than no MFA, but still not good.

I am an OWASP member (I think in good standing, but now that I think about it I should double check) and work cyber-security as per of my companies offerings.

I have spoken to Adalo about security and they take it seriously and is a top priority. There are issues to tackle, but fending off a ransomware attack by implementing MFA for their website users is not one.

MFA should be implemented, and eventually will. But in due time.

3 Likes

Just to further, I has been about 3 years since the last time I was called in forensically on a ransomeware attack. Turns out the backups were failing for 9 months without the IT department fixing the problem. Was a mess.

I dont say this to impress you, but to impress upon you I know a little about what I am talking about

I agree multi factor authentication has issues to. we’ve all heard of Also hackers hack everyone cause in simple who doesn’t want money if its free I’ve heard of $300 ransom payments. but I know ransomwear isnt the exact word for it but I just mean someone getting on your account and changing your password then messaging me pay me ($amount of money) for the new password

but I guess im asking since your a security pro are my account only protected by a password? and linking it to your phone I know wouldn;t be perfect but wouldnt it be better than what we have now which is just a password

As a security pro, there are questions I can and cannot answer.

I feel safe in saying this. I built a version controlled backup system for our clients apps so we can restore our client apps in case of emergency. I did offer to integrate it into Adalo, but that hasn’t gone anywhere.

2 Likes

Also, I don’t know if this helps the situation, but if someone steals your password and deletes your apps, you cannot pay them to restore. Adalo can reset your password, and I think withinn7 days, restore your app. So if that happens, contact support asap, don’t pay for your password back.

3 Likes

I just want to leave this comment for future people who stumble across this post. There is an anecdote told in the security world that goes something like this

A guy drove his GMC Jimmy to a bullet-proof outfitter and asked if he can get his car bullet proofed. After some discussion about levels of protection and various options the guy asked how it would affect his monthly gas bill. The owner of the shop replied, if you care about the extra fuel consumption bullet-proof armor on you car will take, you don’t need bullet-proof armor.

Adalo is a no-code service.

1 Like

is this like a offline copy essentially??? Id kill (pay for this feature hardcore)

It is not offline essentially, it is offline. I wanted to host the service on our servers for the community here: https://adalo.pragmaflowservers.com/ but it violates toc of Adalo, and as a dev, I respect boundaries so I didn’t add it to our site.

We are boring af people to watch, but you might be interested in these

Oh, and this… our level of protection of your credentials surpasses adalo

2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.