We’re reaching out to get input on a new measure on the free plan we’re considering. We value the Bubble community and we want to get your thoughts prior to potential implementation. Recently, we’ve noticed an upswing in bad actors abusing the power of our free plan to create phishing / scam / illegal apps. This trend has been quite troubling for us, but especially for potential victims of these scams. The Bubble team already has a number of “safety nets” in place to proactively flag and take down as many bad actors as we can, but some are still getting through.
These bad actors take advantage of the fact that the Development version (bubble apps with the URL /version-test) of free bubble apps are freely available on the internet. As a result, one option we’re considering is to implement user-generated password protection on the Development version (/version-test) of Bubble apps on our free plan. Note: This feature is currently already an optional setting for all Bubble apps.
The proposal is that for users visiting their Development version via the editor, nothing will change. For people visiting the dev version of a free Bubble app by its URL (/version-test), they will be prompted to enter a password that the app owner specifies. You may notice other web builders (e.g. Wix, Webflow) already do this too.
We know Bubble users on the free plan enjoy the fact that they can share their dev version with friends and family - and we love the fact that you want to show off the amazing stuff you are building! We don’t want to unnecessarily add more friction to this process, but we do believe that password protection will have a real effect on slowing down these bad actors. (It should also be explicitly noted that this is NOT meant to be an upgrade driver, but a means to keep the Bubble platform safe.)
You can share your thoughts on password protection through answering the poll below:
Do you agree with implementing password-protection on development versions of free plan apps to prevent abuse?
Yes
No
0voters
Also, if you have alternative ideas on how we can stop free Bubble apps from being abused, we always appreciate your thoughts in the comments. Thank you!
Yeah not a bad idea. The added friction might harm conversion but would definitely be a deterrent to bad actors. Will float this with the team as well, thanks.
I don’t see any harm in requiring a password on the /version-test URL of free plan apps, but I’m not someone that currently uses the free plan and I’m guessing most people responding to the poll aren’t either. So while I definitely appreciate you checking with the community about a potential change, I worry that this poll may give you a skewed impression if the users responding don’t have any “skin in the game.”
On another note, I’m curious why scammers are taking advantage of the /version-test URL rather than just using the app’s main URL? What am I missing here?
Great question, free plans do not have a Live version, so no main URL. Using the preview functionality for the Development version allows them to essentially work around the lack of a Live mode.
I write some Bubble tutorials at nocodeassistant.com and share the preview and editor link for readers. I’d have to share a password for them to view the preview page. It can make things cumbersome.
Without committing to anything, I think we can avoid Templates from this requirement as Templates are individually reviewed by our team before they can be published. Are you sharing the editor link & preview from the Template itself or from an app created using the Template?
Thanks for clarifying @nick.carroll. With that additional context, perhaps some sort of banner or watermark should be overlaid on the /version-test pages for free plans? I think adding a password would prevent some abuse but what’s stopping a scammer from setting up a simple password and also providing that to their victims? A prominent watermark on the page could provide potential victims with a warning and would have the added benefit of providing some incentive to upgrade from the free plan.
Or perhaps the idea is to have the “password required” screen include some language/warnings to potential victims which would also achieve this goal?
I support the idea of adding some protection to protect the reputation. I am not sure the password is the best solution. I like the idea of a watermark or if there is a way to just limit the visits by unique users per day for free plans. This would a developer to visit/test their page many times as they make edits but ‘detect’ when someone is spamming with the site.
Thanks for running the potential update by the community @nick.carroll!
I wanted to mention one impact of this change on the users of our Canvas template. The way the template works is that once the user creates an app from it, they use the “Run as” functionality to get into the admin portal of the template, which then guides them through the rest of the onboarding process.
If this restriction is implemented, I expect that there will be lots of users who get the template, use “Run as”, and then won’t know what the password is to access the run mode.
I imagine a related issue is that a new Bubbler might start an app, put some stuff on the page, hit Preview and run into the same issue, which could confuse them.
Sounds like the kind of thing that could be addressed with some extra UX around the experience of setting the password.
However, and also in reference to @nick.carroll post, it’s crucial for me that the user and password are auto filled when hitting the “preview” button or at least stores it in a cookie. Otherwise the design iteration time will be severely slowed down.
Iteration time must not suffer (in my opinion) from additional security measures. There already lots to improve there.
In therms of using a badge, as far as I remember, the free version already have a “made with bubble” badge. Isn’t that enough?
Visit limits or other plan limiting is a really bad solution in my opinion and amount to an upgrade incentives and innovation blocks for seasoned designers and newcomers as well. #restrictioncreep
I think @sharma.himanshu0608 is right. That’s something that will be annoying in the beginning but I’m willing to deal with it for safety improvements for others.
I have a lot of free apps that I make examples for the forum and it would be impossible to go back to all the old posts and put in a username and password.
Is there any way we can add some instructions in the popup that asks for the username and password?
So we can just tell them what it is from there? So if I being tricked, I would know there was something up but for ones that know it, just giving them instructions on how to log in might be helpful.
Anyways, just a thought. Not sure if that would still be an issue for those bad apples or not. Would it actually still help if this is added?
Another idea, maybe a popup advertisement for Bubble that says “This is the development version for a site made on Bubble” or something like that. Then at least they can click through it without a password? Hmm Not sure if that is a good idea or worse.
Not sure if that is a good idea or worse. 