How over 2,000 live Bubble apps left their editors public

boston85719 · 2024-09-11T13:08:49.068Z

georgecollier:

Gold agencies perform slightly better on average which is good news, but the fact remains: even among the “best,” nearly 1 in 10 apps is left wide open, and the Gold rate

Please don’t encourage the misconception that gold is supposed to be ‘best’…Bubble made a HUGE mistake in ranking names, as they stated intention of ranking is size and not quality, but obviously most rational and logical thinkers assume gold, silver or bronze is representative of quality and not size.

Thanks for the insights here. Can’t imagine how many hours it took to audit 18,000 apps.

georgecollier · 2024-09-11T13:11:34.052Z

boston85719:

Please don’t encourage the misconception that gold is supposed to be ‘best’…Bubble made a HUGE mistake in ranking names, as they stated intention of ranking is size and not quality, but obviously most rational and logical thinkers assume gold, silver or bronze is representative of quality and not size.

100% correct. Previously, before agency tiers, Bubble could fairly reasonably not be involved in controlling the marketplace at all. That changed the second they implemented tiers - once they added tiers, they effectively endorsed some agencies (even if only by size) so much so that the reasonable person would think it amounts to an increased trust/quality rating. It’s not ‘Bubble approved’ or ‘Bubble assured’, more like ‘Bubble likes the revenue this agency generates’. Which is fine, so long as the tiers don’t give the impression of Bubble approved, which they currently do.

boston85719 · 2024-09-11T13:13:50.679Z

Yes…perhaps in the post changing word from ‘best’ to biggest would help promote that Gold tier is just Large.

@fede.bubble could you ask the team if there is any consideration to change tier names to reflect more accurately what they are representing?

georgecollier · 2024-09-11T13:14:27.439Z

Oh I should say, come to DevDay if you want to learn some more curiosities about Bubble app security beyond the basics of privacy rules… mixed presentation + discussion so we can all share and improve. DevDay: Practical security lessons from auditing 18,000 Bubble apps

image1520×800 73.8 KB

stuart8 · 2024-09-11T15:40:06.318Z

Wow, I imagine this was a ton of work. Kudos for doing it and hopefully it leads to some checking by other users and perhaps some more thoughts by Bubble, that suggestion for a monthly email for those who keep it public totally makes sense!

Security in Bubble is a topic that is almost as confusing as WUs when you dive deep into all the permissions

jonah.deleseleuc · 2024-09-12T12:52:12.437Z

I like this case study.

Another exploit I have found quite prevalent in Bubble apps is that client-side API calls (API calls made inside of a Repeating Group for example) can often be exploited since tokens are exposed to the client side. By sniffing around in the network tab of the browser, you can find the tokens which are generated by these API calls.

Since the parameters of the API call are dynamically being populated from the client side (the keys are not private, which is true 99% of the time) the malicious actor can simply swap these values for whatever they choose and can do all sorts of harm to your app / brand or even users.

For example, if the “destination” of a payment was supposed to be person A but you swap it out to person B, you can do some pretty nasty stuff with this!

georgecollier · 2024-09-12T17:28:22.593Z

Thank you to the agencies that have gotten in touch to ask if any of their apps were public! If only all agencies were so proactive

Fortunately, if you didn’t hear from me already then your agency wasn’t a terrible offender by either proportion of public apps or absolute number of public apps. I tried to contact any agencies with more than 50% public editors or more than 5 public apps, so even if you didn’t hear from me there still could be apps that affect you. Just drop me a DM if you want to know which ones are affected so you can secure them if necessary.

senecadatabase · 2024-09-12T20:33:54.210Z

Thanks @georgecollier that’s all interesting.

You give a lot back to the forum.

Jici · 2024-09-12T22:58:17.695Z

Very interesting. I totally think that agency left them open to work on the project with both collaborators or client. Often, it’s client that open their app.

I really think that Bubble should, at least, show a warning popup each time you open editor that app is visible to everyone and where to go to change this settings.
(@fede.bubble )

However, did you consider to exclude “plugins apps” that need to be set to public view mode if author want to share how it’s working in editor?

georgecollier · 2024-09-12T23:01:34.619Z

Jici:

did you consider to exclude “plugins apps”

Yes, test apps, template apps, and apps with no custom domain were excluded as these are all likely to be demo/tutorial/test apps. Only live apps with paid plans and custom domains are included!

hergin · 2024-09-12T23:16:16.967Z

How do you get the list of all Bubble apps? I am guessing you collaborate with Bubble?

jared.gibb · 2024-09-12T23:27:02.570Z

georgecollier:

18,000

How did you get that list? Also, did you do this manually?

georgecollier · 2024-09-13T05:12:45.343Z

hergin:

I am guessing you collaborate with Bubble?

No

jared.gibb:

How did you get that list?

A few sources - mainly tech stack detectors.

senecadatabase · 2024-09-13T10:39:52.217Z

Thank you @georgecollier.

I’ve learned so much from you.

aleemansari97 · 2024-09-13T12:29:50.737Z

These numbers are wild!

I once worked on an app built by a “Gold” tier agency that I often considered working for, the app was nowhere near the standard of what I had imagined a “Gold” tier to have. They also had the public editor problem

hi.luisacosta · 2024-09-13T13:47:11.252Z

Great work man! This is sharp

lindsay_knowcode · 2024-09-13T14:08:30.374Z

It’s a shame the community awards are closed now - Announcing BubbleCon Awards 2024 - Nominate Now! @fede but aren’t these very kind words from the community?

fede.bubble · 2024-09-13T19:32:29.059Z

Agreed. Btw you tagged the wrong user

chaddickson83 · 2024-09-23T12:56:11.167Z

@georgecollier - I have a similar list!
I have been reaching out and getting similar responses - lets chat and explore options!

georgecollier · 2024-09-26T09:57:43.189Z

As a special offer, we’re discounting our audits for apps built by agencies.

Got an app recently delivered and want to make sure it’s secure (most aren’t)? Want to make sure it’s been built following best practices and is a scaleable foundation for future development? Want to send our audit results back to your agency to make them implement what you paid for?

We were recently able to help a client make their Gold tier agency implement privacy rules in their education app as they were completely missing so all data was public.

If your app was built by an agency, you can use the coupon code ‘SAVEMYAPP’ at Unlimited development for Bubble apps | Not Quite Unicorns, which will give you a 50% discount, reducing the audit from $1 down to the special price of $0.50.

Happy Bubbling