Hi,
How can Bubble.io allow a simple link (https://bubble.io/page?name=index&id=[INSERT RANDOM CANVAS PROJECT] to allow viewing, browsing of data of a Bubble site without any authentication.
I can see other people’s data, without any authentication at all, openly with a URL.
I know it is not every project, I understand it does not allow you to publish changes, but you can still access at random, a project, and all data associated…
I cannot believe what I am seeing! Bubble, what the ???
You need to apply privacy rules…
How is that not default?! I have typed at random and there is a tonne of open projects with data…
Where is the basic security?
You can apply privacy rules by default to new data types. Still you need to check what should be visible to who.
Why is it not default? Some apps are just used for public data, like list directories.
I understand what you are saying, but in a time where large corporates are getting data breaches everyday, a simple python script can easily attack this URL and harvest projects, and all of their data.
The amount of random sites that are public (and I assume, unknowingly) allowing public viewing of their backend data is horrifying!
This is a valid point.
Bubble allows no-coders to develop things, but no-coders think that all burden of security lies with Bubble. That’s untrue. Now, what extent of responsibility does Bubble have for this? They provide the tools to make secure apps. I don’t think there’s much they can do to force people to build secure apps. Do the developers of AWS have to be responsible for developers that build unsecure apps on their platform? No.
There’s perhaps a couple of UX improvements that could reduce the risk. Right now, if something doesn’t display, someone asks a question here, someone replies ‘privacy rules’ and then the user goes and checks every box to fix it without realising that exposes loads of data. A few more popups saying ‘hey, are you sure?’ might be worthwhile.
The Bubble security problem is widespread. I’ve audited 7 figure VC funded apps with almost their entire database exposed - some apps from freelancers, some from agencies, some from internal developers. It’s absolutely wild, and then when I tell them there’s a solution, I get told they can’t do it right now because insert reason here that limits their growth. I’m kind of like, yeah it’s not ideal but you can’t knowingly leave your entire database exposed and fix it later because that’s negligence and borderline criminal…
The Bubble docs (recently revised by @petter) do a good job at explaining the shared security responsibility of Bubble & developers here: https://manual.bubble.io/help-guides/optimizing-an-application/security. Ultimately at some point you have to take responsibility for your own creations.
The actual issue you’re describing here which is about editor visibility really isn’t a problem. I don’t see how it could be clearer than this:
‘Everyone can view’ and ‘everyone can edit’ is pretty explicit.
Yeah, Bubble has to give the tools to make secure apps, but they can’t babysit people who don’t pay attention or don’t want / can’t be bothered to secure their apps.
Absolutely agree with you, Bubble is and shouldn’t be in any position to need to hold the hands of their users, absolutely 100%
But looking across the board, the targeted base of customers is anyone from Beginners, to people like yourself that seem a lot more technically minded, savvy, and literate.
All I am saying here is having a URL that someone using ChatGPT to create a python script to scan the URLs (mind you, not even capture is enabled, bottom tier stuff) to find visible sites, and for the more tech minded, and those who are more intrusive, to possibly harvest that data is simply a scary thought.
Out of the views this post has had already, I can imagine someone reading may have just discovered their data has been public and visible without their knowledge.
Yes the privacy tools may be there, perhaps not to the best of everyone’s knowledge on what the tools do, and how they can be used to properly secure their sites.
It would not be hard to implement a feature like a VPN does that notifies you if your leaking data.
So what do we do about it?
There are free and paid tools like https://www.flusk.eu but yeah, the offering by the paid tools is something Bubble ought to consider developing in future. Just don’t expect it any time soon.
First I panicked than, there is already authentication exists,nobody can view your app if t is on ‘‘private app’’ so,The last problem is what happens if you need to send your id url to bubble support , than you need to copy the app for support purposes with data being deleted.So , the only problem left is on what extend to trust bubble support.
So as solution besides, trusting bubble. Is for bubble to send issue checker’s as ‘‘make your app private’’ or ‘‘make your app private in settings tab before you deploy to live’’ (If one forgets to hide it )
