Due Diligence Report: Base44

Systemic Critical Security Flaws (Authentication Bypass) (critical) A critical vulnerability was discovered by Wiz Research on July 9, 2025, allowing unauthorized users to bypass authentication, including Single Sign-On (SSO), and register verified accounts for private enterprise applications. This flaw exposed sensitive data, including PII and HR operations data, across thousands of enterprise applications due to exposed API endpoints and hardcoded 'app_id' values. This represents a fundamental failure in security controls (Broken Authentication).. Multiple Critical Design Flaws (XSS, JWT Leak, Open Redirect) (critical) Imperva research uncovered multiple critical vulnerabilities reported in March 2025. These included: 1) Stored Cross-Site Scripting (XSS) on the trusted app.base44.com domain due to client-side-only enforcement of premium features, enabling account takeover. 2) An Open Redirect flaw in the OAuth login process that leaked user access tokens. 3) The main platform's JWT (access token) was leaked directly to user-built apps via the URL, giving app developers control over the victim's full Base44 account.. Lack of Operational Maturity (Small Team Size) (high) Base44, a platform reportedly used by 'thousands of enterprises' for sensitive applications (PII, HR), had only 6 total employees at the time of its acquisition in June 2025. This extremely small team size suggests a severe lack of resources dedicated to enterprise-grade security, quality assurance, and compliance, which is evidenced by the subsequent critical security vulnerabilities discovered immediately post-acquisition.. Low Trust Score and Scam Warnings (medium) The website base44.com received a low trust score of 24.4/100 from Scam Detector, labeling the business as 'Suspicious. Unsafe. Doubtful.' The analysis noted high-risk activity related to phishing and spamming, and flagged that the WHOIS data for the domain owner was hidden.. Poor Customer Support and Platform Reliability (medium) Customer reviews indicate significant operational issues post-launch. Complaints include: 'Customer support is a joke, expect to wait 48 hours for a reply' (Sep 10, 2025) and reports that the platform 'does not function reliably by current standards. Its registration and login functionalities either fail...' (Jul 8, 2025).. Waiver of Jury Trial and Class Action in Terms of Service (low) Base44's Terms of Service (dated Sep 21, 2025) explicitly state that users waive the right to trial by jury or to participate in a class action lawsuit against the company.