How over 2,000 live Bubble apps left their editors public

georgecollier · 2024-09-11T12:51:15.750Z

TLDR, please double, triple, check your editor access permissions (details at bottom), for each app you work on.

Imagine logging into your Bubble app one day to find that someone has accessed your user data, logged in as admin users, or worse, deployed changes to your app that could exploit your users. This scenario is a real possibility for thousands of Bubble app creators right now. How do I know? I’ve just completed a security audit of over 18,000 live Bubble applications, and the results were surprising.

I’ve always believed and advocated for Bubble’s ability to democratize app development. However, this also means that thousands of apps are published where security is an afterthought. I wanted to better understand trends in the security of Bubble apps in order to help improve the platform’s security overall and ensure that Bubble can be used to its fullest extent, without compromising security.

None of these issues are a result of security issues in Bubble itself - rather, it’s poor development practice for which the responsibility lies with app developers. I’ve already communicated with Bubble to show them the process, methodology, detailed results, and provided some common-sense recommendations that would mitigate issues like these.

11.2% of live Bubble apps have public editors

I wanted to answer a simple question: how many Bubble apps have unknowingly left their editor open and vulnerable?

NB: When I talk about live Bubble apps, I mean live Bubble apps that we’ve audited (over 18,000), filtering out templates. We don’t have any reason to think it’s not representative of the ecosystem as a whole. More about methodology at the bottom.

Let’s cut to the chase:

11.2% of live Bubble apps have public editors - that’s more than 1 in 10 apps leaving their entire live database, backend, and app logic exposed to anyone.
This includes 3.3% of live Bubble apps that have fully public read and write access. This means anyone can modify your app, its data, and deploy changes to live.

A public editor permits ‘Run as’ access to Users, in both test and live databases, allowing any user to log in as one of your admin users and do whatever they’d like while logged in.

image1535×1560 103 KB

Private editors are secure. Read only editors are public, allow you to see live data and run as any user. Open editors have the same permissions as read only editors, but allow you to modify the app and deploy to live.

Apps built by agencies and freelancers are less secure

If you’ve hired an agency to build your Bubble app, thinking you’re in safe hands, unfortunately you’d be mistaken. Our audit revealed that agency-built apps are 37% more likely to have public editors compared to apps built by individual developers.

I’m not going to shame agencies or developers by pointing fingers publicly (though having a ranked list of agencies by % of their apps that are public is both enlightening and frightening). Instead, I want to highlight how easy it is for anyone – even professionals – to overlook critical security measures.

image1535×980 119 KB

The proportion of live apps built by this agency tier that were found to be public

image1920×1333 101 KB

For all agencies with more than 5 apps, here’s a ranked list (colored by tier) of agencies by percentage of public apps. Higher is worse. We decided not to show the absolute numbers of apps audited for each agency as this may make them identifiable.

Gold agencies perform slightly better on average which is good news, but the fact remains: even among the “best,” nearly 1 in 10 apps is left wide open, and the Gold rate is only 1.6 percentage points better than apps not built by an agency at all.

image1535×1066 118 KB

The proportion of live apps built by this agency tier that were found to be public.

There is significant variability in security between agencies. One Gold agency even had 66% of their apps as public, yet this agency as well as multiple other significantly below-average agencies are ‘trusted partners’ for a pretty well known security platform. It goes to show that as a potential client trying to find an agency to work with in Bubble, there really is no reliable way to vet an agency’s quality and build practices if you’re not familiar with Bubble itself. I went in to detail on this topic here, so won’t go any further than this. This also links to one of the recommendations I made to Bubble, which is that agency tier awards should have at least some due diligence with respect to an agency’s quality.

Why do agencies perform worse at this security metric?

The reason isn’t certain. However, I speculate that agencies make an editor public during the project to allow people to work on it that do not have agency plans, bypassing Bubble’s collaborator limit. A common case would be where a developer asks their team for support so shares a public editor link for quick help, and forgets to private it again. There’ll be a small number of apps where the client made it public after the agency handed it over, but this is exceedingly rare and is covered further in the FAQs at the bottom of this post.

What do we do now?

We found over 2000 apps with public editors, and many more with insecure admin pages. It is not feasible for us to contact all of these individually. However, in an effort to improve the security of these apps, I’ve tried to reach out to agencies with large numbers of public apps, as well as particularly vulnerable app owners.

It’s interesting to note how different agencies responded when notified that many of their delivered apps were public. Some responded well, fixing the issues quickly, taking responsibility for it and saying they were going to review their processes to see how it could be allowed to happen. Others insisted it was a Bubble bug depsite being provided with links to their app’s editors, and ignored it.

Fortunately, as many agencies have acted upon our advice, we’ve likely been able to secure 100s of apps, preventing numerous potential data breaches and protecting thousands of end users.

There’s a challenge for Bubble, which is that Bubble is the platform, not the builder. In the same way that AWS isn’t responsible for a company building insecure software on their infrastructure, Bubble responsible for ours either.

Bubble knows that it has a large proportion of non-technical users that may assume security is automatic, so it makes sense to put a few simple safeguards in place. However, as app creators, it’s not sufficient to wait around for platform changes - the responsibility for app security ultimately lies with us.

How to make your editor private

It takes about two seconds, and you can do it here:

CleanShot 2024-09-11 at 14.44.27@2x2876×1580 320 KB

FAQs

How did you choose which apps to audit?
We used a number of sources including tech stack databases and Bubble itself/marketing materials, but essentially audited any app that we could find, after filtering to remove apps that aren’t live or may be used for templates/instruction (of which there were remarkably few). We do not think there is any reason to believe this sample would not be approximately representative of the ecosystem as a whole.

Does your analysis include test apps?
No. We filtered out any apps that are not deployed to live, and any app with ‘template’ in the app ID.

Could some apps have become insecure after an agency transferred it?
In theory, yes. However, this is exceedingly rare.

Firstly, we used two methodologies to track an editor’s visibility - one that measures it now, and one that measures it when last deployed. The results were similar by both measures. We can reasonably assume that clients that work with agencies don’t deploy live themselves too often, and clients that work with agencies rarely have a reason to make an editor public. Secondly, if clients making apps public were the main driver of public editors in agencies, we’d expect the rate of publicity by agency to be roughly similar. However, there were clear, statistically significant trends with agencies having vastly different numbers of public editors.

If clients did make editors public, these are exceptions that do not materially affect the results.

How do you define which agency built an app?
We defined agency built apps as measured by Bubble in their number of converted apps statistic. If Bubble marked this app as built by Agency X, then we’ve tracked it as so.

TipLister · 2024-09-11T12:57:00.509Z

note that many hobby projects or attempted startups are at such initial stages, e.g. just two friends building features together, with just test data in them, that it does not always matter.

i do recommend bubble to send an automated mail to users whenever this setting is turned on, once a month, as i bet lots of people forget after just asking one other bubbler to help with a hard feature.

is it embarrassing that live projects with live data, even if its just 10% of the apps found, have this? for sure. especially agencies

georgecollier · 2024-09-11T13:02:05.412Z

TipLister:

i do recommend bubble to send an automated mail to users whenever this setting is turned on, once a month

Yep, I told them this.

TipLister:

just two friends building features together, with just test data in them, that it does not always matter.

That was an initial concern of mine before I completed the analysis, but it turned out to be a non-issue. This dataset only involves live apps that are currently on paid Bubble plans, so filters out most cases like these as, people will generally not be paying for Bubble if it’s not being used (-> less likely to be in the study). Of course, there’s always some exceptions, but when I went through the results, cases like the one you mention turned out to be pretty rare. Additionally, if this case was widespread, it would make the agency built app results even worse!

TipLister:

especially agencies

Yup, that’s the part I care most about at the moment. Hobbyist/non-technical founder not knowing any better is one thing, but an agency should be on top of this issue which is probably the most basic (and serious) issue that could exist. If over 10% of agency built apps have public editors, imagine how many have no privacy rules (spoiler, it’s a lot, because I’ve audited them and had to dig clients out of the )

Other feedback I told Bubble was:

Live apps shouldn’t be allowed to have a public editor unless on agency plan (or it should be very difficult to make the editor public on a live app, with lots of checkboxes saying you understand the risk)…
Notifications should be sent regularly
If public for more than a week, auto-private it by default unless they’ve actively disabled that option in the editor.

TipLister · 2024-09-11T13:06:41.806Z

must be that agencies are trying to get around paying with multiple editors

georgecollier · 2024-09-11T13:07:46.395Z

Yep, that’s the main reason. Also making it public to get help from team members, and forgetting to make it private. I noticed one of my previous clients showed up in the audit - turned out a new agency they onboarded while we were busy made it public

mac2 · 2024-09-11T13:08:48.995Z

George grow up and leave your editor open - it’s freeing

boston85719 · 2024-09-11T13:08:49.068Z

georgecollier:

Gold agencies perform slightly better on average which is good news, but the fact remains: even among the “best,” nearly 1 in 10 apps is left wide open, and the Gold rate

Please don’t encourage the misconception that gold is supposed to be ‘best’…Bubble made a HUGE mistake in ranking names, as they stated intention of ranking is size and not quality, but obviously most rational and logical thinkers assume gold, silver or bronze is representative of quality and not size.

Thanks for the insights here. Can’t imagine how many hours it took to audit 18,000 apps.

georgecollier · 2024-09-11T13:11:34.052Z

boston85719:

Please don’t encourage the misconception that gold is supposed to be ‘best’…Bubble made a HUGE mistake in ranking names, as they stated intention of ranking is size and not quality, but obviously most rational and logical thinkers assume gold, silver or bronze is representative of quality and not size.

100% correct. Previously, before agency tiers, Bubble could fairly reasonably not be involved in controlling the marketplace at all. That changed the second they implemented tiers - once they added tiers, they effectively endorsed some agencies (even if only by size) so much so that the reasonable person would think it amounts to an increased trust/quality rating. It’s not ‘Bubble approved’ or ‘Bubble assured’, more like ‘Bubble likes the revenue this agency generates’. Which is fine, so long as the tiers don’t give the impression of Bubble approved, which they currently do.

boston85719 · 2024-09-11T13:13:50.679Z

Yes…perhaps in the post changing word from ‘best’ to biggest would help promote that Gold tier is just Large.

@fede.bubble could you ask the team if there is any consideration to change tier names to reflect more accurately what they are representing?

georgecollier · 2024-09-11T13:14:27.439Z

Oh I should say, come to DevDay if you want to learn some more curiosities about Bubble app security beyond the basics of privacy rules… mixed presentation + discussion so we can all share and improve. DevDay: Practical security lessons from auditing 18,000 Bubble apps

image1520×800 73.8 KB

stuart8 · 2024-09-11T15:40:06.318Z

Wow, I imagine this was a ton of work. Kudos for doing it and hopefully it leads to some checking by other users and perhaps some more thoughts by Bubble, that suggestion for a monthly email for those who keep it public totally makes sense!

Security in Bubble is a topic that is almost as confusing as WUs when you dive deep into all the permissions

jonah.deleseleuc · 2024-09-12T12:52:12.437Z

I like this case study.

Another exploit I have found quite prevalent in Bubble apps is that client-side API calls (API calls made inside of a Repeating Group for example) can often be exploited since tokens are exposed to the client side. By sniffing around in the network tab of the browser, you can find the tokens which are generated by these API calls.

Since the parameters of the API call are dynamically being populated from the client side (the keys are not private, which is true 99% of the time) the malicious actor can simply swap these values for whatever they choose and can do all sorts of harm to your app / brand or even users.

For example, if the “destination” of a payment was supposed to be person A but you swap it out to person B, you can do some pretty nasty stuff with this!

georgecollier · 2024-09-12T17:28:22.593Z

Thank you to the agencies that have gotten in touch to ask if any of their apps were public! If only all agencies were so proactive

Fortunately, if you didn’t hear from me already then your agency wasn’t a terrible offender by either proportion of public apps or absolute number of public apps. I tried to contact any agencies with more than 50% public editors or more than 5 public apps, so even if you didn’t hear from me there still could be apps that affect you. Just drop me a DM if you want to know which ones are affected so you can secure them if necessary.

senecadatabase · 2024-09-12T20:33:54.210Z

Thanks @georgecollier that’s all interesting.

You give a lot back to the forum.

Jici · 2024-09-12T22:58:17.695Z

Very interesting. I totally think that agency left them open to work on the project with both collaborators or client. Often, it’s client that open their app.

I really think that Bubble should, at least, show a warning popup each time you open editor that app is visible to everyone and where to go to change this settings.
(@fede.bubble )

However, did you consider to exclude “plugins apps” that need to be set to public view mode if author want to share how it’s working in editor?

georgecollier · 2024-09-12T23:01:34.619Z

Jici:

did you consider to exclude “plugins apps”

Yes, test apps, template apps, and apps with no custom domain were excluded as these are all likely to be demo/tutorial/test apps. Only live apps with paid plans and custom domains are included!

hergin · 2024-09-12T23:16:16.967Z

How do you get the list of all Bubble apps? I am guessing you collaborate with Bubble?

jared.gibb · 2024-09-12T23:27:02.570Z

georgecollier:

18,000

How did you get that list? Also, did you do this manually?

georgecollier · 2024-09-13T05:12:45.343Z

hergin:

I am guessing you collaborate with Bubble?

No

jared.gibb:

How did you get that list?

A few sources - mainly tech stack detectors.

senecadatabase · 2024-09-13T10:39:52.217Z

Thank you @georgecollier.

I’ve learned so much from you.