[FREE] New AI Privacy Rules Checker by Flusk 🤯

Hey all!

Today is a big day in the Bubble security ecosystem.
At Flusk, as part of our approach to securing the Bubble ecosystem and its associated security audits product Flusk Vault, we are releasing our new Privacy Rules Checker FOR FREE.

AI Privacy Rules Checker by Flusk

It’s been a long and fastidious work to achieve that, but we’re really proud to bring this game-changing tool to the Bubble ecosystem.

ezgif.com-webp-to-jpg1600×1140 164 KB

Who are we?

0Z0A5951_compressed (3)-modified1463×1463 242 KB

We are Victor and Wesley, the 2 founders at Flusk.
We’ve been Bubbling for more than 4 years now, and our main goal now is to secure the entire Bubble ecosystem.

Two weeks ago, we’ve released a Concerning study about the Top 100 Bubble apps security and that’s why we give our best everyday to give useful tools to the community in order to secure the apps they build.

Why is this tool game-changing?

You probably heard about the Tinkso or the nocode:nohack (now ncScale) security checkers.
Flusk Vault goes much further than that.

In order to check your data’s privacy, these tools are only going to check whether if your Data API or open or not.
If it’s not, they consider your Data as secured.
But this is not necessarily the case!

This reveals a LOT of Data Leaks people didn’t even know about.

After processing more than 900 apps in this tool, 90% of them have concerning Data Leaks.

Free AI Privacy Rules Checker by Flusk

Where AI takes place.

We give all the blurred results to an AI, which is going to analyze the results and tell you about the Legal sanctions you could be punished for.
We anonymize data before sending it to our third-party-service that provides us with the AI.

ezgif.com-webp-to-jpg (1)1312×730 97 KB

Is it a security vulnerability from Bubble?

This is not a security vulnerability from Bubble.
As they tell you, and you should remember this forever:

The only thing that protects your data is Privacy Rules.

So if your Data is well-secured using efficient Privacy Rules, you should not even see 1 Data Leak.

Are you going to leak all this data?

For sure we’re not!
You can basically test any Bubble-made application, but the leaked data - if there is - will always be blurred (not in the front-end, obviously!)

Free AI Privacy Rules Checker by Flusk

Can I prevent my app from being scanned?

Yes, you can prevent your app from being scanned by other people.
You just have to enter your app on Flusk Vault (for free) and deactivate scans.
We do this in order to proof ownership of the app.

This does not require any financial transaction. It’s 100% free to add your app on Flusk Vault and disable public checks.

Preventing other people from scanning your app will not make your app more secure. This is only obfuscation.

On your Flusk Dashboard, go under “Application > Settings” and check the “Prevent Public Check” checkbox.

Capture d’écran 2023-05-02 à 09.08.552880×1562 318 KB

Please keep in mind that scanning an app that you don’t own is against our Terms of Use.

Links

Free AI Privacy Rules Checker by Flusk
Flusk Vault - Automated Security Audits for Bubble.io Apps
Flusk Blog - Articles, Tips & Tricks About High-Performance Bubbling
Flusk Twitter - Daily Tweets About Security

If you have any questions or want to share your feedback about this tool, feel free to reply to this post!

It’s genius
Congratulations on achieving this amazing tool !

Sorry, @wesleywsls, but I have to ask… you’re saying you have created a tool that allows anyone to scan any Bubble app to see if there are security vulnerabilities (blurred data, whatever that means, or not), and the way to prevent people from scanning our apps with your tool is to buy a license for your product?

I’m all but certain that I am just not smart enough to understand what is going on here, but can you please explain it to me like I’m 5 because I must be missing something. Hell, a longtime, well-respected Bubbler recently lost his mind in the forum over the idea that Bubble might use his stuff to train AI models, and this seems significantly worse than that.

So, please, if you don’t mind, what am I missing here when it comes to allowing anyone to scan any app and making people pay to opt out?

Hey @mikeloc, there’s a mistake in the post, I’ll ask Wesley to review it…
There’s no need for a premium license, only a free account. We only do so to verify your ownership of the app before you can take any actions like blocking the tests.

Thanks for the clarification, @vnihoul77. I guess that makes it a bit better, but you’re still saying we have to create an account (free or not) in your product in order to stop literally anyone from scanning our apps, right? If so, sorry, but I still don’t think that makes sense to me, unless I am missing something else here.

Well, let’s be clear, our tool doesn’t hack anything. Anyone is able to retrieve the same information as we do with a few hours engineering and research on the forum.
All the tool does it to make everything pretty with a nice UI/UX.

So my question for you would be, why don’t we shut down the forum because there is the knowledge here to allow people to extract the same results?

Again, the tool is free to use, and we’ve been taking from our time to deliver something that we hope will make people face a hard reality and start securing their app, which is not in our “business interest” by the way.

That’s impressive - I’ve spent many hours in the debugger not achieving that

I never said your tool hacks anything, but interesting that you went down that path.

That isn’t even remotely true. You said the following yourself…

I’m sure Lindsay is right in that what you have done is quite impressive, and I would imagine very few people could actually do it. And about this…

How is that analogy even close to being reasonable? I’m pretty darn sure (sadly and somewhat embarrassingly) that nobody knows the content of this forum better than I do, and I can all but guarantee there is nothing out there that would enable the average (or even well-above-average) person to create a tool that can scan everyone else’s Bubble app without their knowledge to look for security vulnerabilities. Can you point to examples of the information that makes it easy (in your words, a forum search and 1 hour of engineering) to create a tool like yours?

Also, if I said I don’t want people to be able to scan my apps with your product and I don’t want to sign up for your product in order to make that happen, what would your answer be?

We haven’t found all of the knowledge in a easter egg… Look it up yourself all the bits are on the forum, it’s just a matter of testing and connecting the dots.

Well, just take one second to shoot us a DM or ask, it will take another second to get done on our side.

Sorry, but I’m still not buying that.

Great, but you realize that’s not the point, right? I don’t want to have to contact you or sign up for your product in order to stop people from scanning my apps with a tool you made.

@wesleywsls & @vnihoul77

Absolutely amazing job here! Really
So, first, congratulations, and also thanks for contributing to the security of the Bubble ecosystem.

That said, I do understand the concern expressed by @mikeloc.

This is like uranium (just kidding😅).
1- you can retrieve energy from it =>if you are the owner of the Bubble app, it saves your life
2- in bad hands, you can build bombs => anyone who didn’t have the skills of yours to gather the knowledge from the forum, can now scan apps and leak vulnerabilities? May be not, because, in order to do so, they still must be aware that the app is built on Bubble and know its exact url? Or does the tool work for any url (whether on Bubble or not?)

Anyway, may be a good solution could be, to turn it the other way around. You need to scan an app? Sign up for free, provide your apps url + a code which proves you’re the owner. Then you can scan and fix vulnerabilities before any hacker raises interest on you.

As a rewind for your efforts, If the tool is wonderful, and I guess it is, you’ll get hundreds of thousands of Bubblers signing up to Flusk. Even if it is free accounts, this will fuel up your business development database for future services, and it will be a fair win-win.

Good job

I really appreciate the constructive comment @CharlesD

I agree with you, this was a bit of a challenging decision for us: should we keep the tool private, should we keep it for our users or should we release it publicly?
Here’s more context on our train of thought:

• Keeping the tool for us: was not really an option, as I think it’s a very valuable tool for app owners as you mentioned.
• Keep it for app owners: well, in a way, that was already the case as our tool Flusk Vault, for example, integrates this feature among many other security checkpoints. However, the tools available don’t necessarily push app owners to build more secure apps and get compliant.
• Make it public: radical and even controversial, I agree, but also necessary? If you now know that your apps databases can be accessed so easily by anyone using our tool, then maybe you will start to be more considerate about building secure apps and defining Privacy rules properly.

Again, when we hear app owners saying “I don’t want my data to be public in such a tool”, most of the time, it isn’t their data, but it’s their customer/user data that are totally unaware that they can be accessed publicly and that they signed up on an app that doesn’t respect their privacy by not securing properly their database.
That’s immoral, most of the time illegal, and in my opinion concerning.

thanks for your swift reply and for sharing the context of your brainstorming about how to release the tool. With this background, it’s easier to understand the spirit. Makes sense.

We all aim at becoming, not just small "tinkerers ", but real great developers with privacy, performance and scalability in mind. So, your work will help. Even though it is scary

No problem

My personality would have chosen this route as well. It will force developers to take action to secure their apps.

If Flusk can create this tool what’s to say there aren’t already 100 other cyber criminals that have a similar tool and are stealing everyone’s data.

I also do hear the concerns other brought up.

But my opinion is to keep this live. Let it force us to secure our apps because I’m certain others built similar tools and are actually stealing people’s data.

In fact, bubble should send an email to everyone encouraging them to test this tool to see if their apps are vulnerable.

For far too long people have been building without security top of mind and it needs to change.

Truthfully, this is a tool bubble should have built into their platform for each developer to see their vulnerabilities.

Thanks for supporting us in our choices, @ralphlasry.

That is true. We also highly believe in this.

Ahah, I won’t say it’s a bad idea!

Thanks for supporting us, really appreciate your feedback.

Too much spam by these guys on the forum, I get it you want people to buy your product but all of these posts come off way promotional too much and for that reason I’m out. It’s a massive turnoff.

Obviously, we’re a team making money on these matters so we do rely on sales, but most of the content we’re trying to offer is really just from us, Bubblers to Bubblers.
Look it up we have a lot of free content, including a 70 pages book, this tool and our blog articles

Thanks for the feedback, I’ll really make sure we mind that in the future!

I find some reactions
odd…
I’ll start by saying a big thank you for this great tool, and what’s more, it’s free.
Thank you very much for this tool vnihoul77, do not change anything!

Well, in defense of my reaction, @antoinechiro (not that you asked or should care, but still), the initial post did not say anything about it being against their terms of use to scan an app you don’t own, and it also said you had to buy a license for their product in order to turn off the ability for other people to scan your apps (although, as you can see, they quickly said the latter was a mistake).

So, the context has changed since (and in part because of, whether they know it or not) my interaction in the thread. And sure, I probably came off as antagonistic because I really didn’t (and still don’t) agree with the approach they have taken to let anyone scan any Bubble app in existence. But, to their credit, they have admitted they knew they were taking a controversial approach, and with that decision comes, well, controversy.

I know the Bubble forum community as well as (if not better than) anyone at this point, and I believe if the community was paying attention, the response to the approach they have taken with this tool would be overwhelmingly negative. I also believe the Flusk folks are super smart and knew exactly what they were doing by going the controversial route (as they say, there’s no such thing as bad press), and whether I like that route or not, I still respect what they are trying to do to help Bubblers make their apps more secure. In fact, I respect it so much that I’m calling it right now… if they do this privacy thing right, I believe Flusk could be the first acquisition Bubble makes from the ecosystem (unless Bubble has already made one or more acquisitions we don’t know about, but I would think something like that would have been big news in the community). No, really, I actually think it could happen. I know for a fact what a big pain point it is for Bubble that a lot of Bubblers (especially new ones) essentially ignore privacy rules, and if the Flusk folks help Bubble solve that problem, they could be golden.

So, anyway, that’s my take on the situation, and it doesn’t really matter what I think because in the end, these folks know exactly what they are doing, and they are going to be just fine.