Mostly are custom domain apps (more than 99%). How I got it - definitely not going to put in public, but you can get it. Itâs not rocket science.
About the authenticity of the 11K app claim, you let me know how I would prove, I have actually audited that app (for your reference, these numbers have gone to 16K for now).
About the methodology of putting in the public on how I have audited it - no need for now (only you have asked - no one else), so there is not much interest, so I most probably will not post. Maybe in the future. Although I have recently shared with some of the people - even created the detailed pdf.
Man, whatâs your problem with this post? Just because you donât know how to locate the Bubble apps that exist doesnât mean that other people donât. There are plenty of ways to tell if an app youâre on is built on Bubble:
Run window.app in the developer console and review the result
Check the appâs network requests to see if it requests Bubble packages
Check the elements DOM for âbubble-elementâ references
@ankur1 has posted something, the numbers line up with what Iâve found in my own audits (of even more apps, which no doubt you wouldnât believe), and your first instinct is to doubt it rather than learn from itâŚ
Iâll admit I came into this skeptical â which, to be fair, is kind of rule number one in security: question everything.
Part of that skepticism came from annoyance, honestly. The idea of someone analyzing my apps just to sell me services rubbed me the wrong way. I challenged the OP to see whether theyâd respond professionally (with transparency and integrity) or defensively.
After looking into it myself, I can see how targeted searching makes it easier to identify and collate a list of Bubble apps. Had that been explained up front, I probably wouldâve been more curious than critical. But the continued lack of transparency, especially when @senecadatabase was able to casually outline a method, still makes me wonder if the OP actually did the work or simply drew conclusions from assumptions.
Thanks for enlightening me about peer-reviewed studies. But let me tell you- thatâs not a peer-reviewed study, and I didnât ask anyone for a review. I simply stated what I found. Otherwise, I will publish the paper in some journal and then publish it. @ihsanzainal84
@genstate Always question everything but learn how to ask question without making assumption first. I never personally tagged you, so Iâm not sure why you are annoyed.
You didnât challenge me or anything. You already had the assumption âthis post is bullshitâ and you just wrote it. Nothing more than that.
Yeah, putting the methodology was never the intent of this post (Intent was to raise the awareness, how many apps leaks the data). As I stated earlier, if enough people ask me, I will try to put my methodology (may be in another post or donât put that all) but you never interested in that.
About selling my services- yeah, whatâs wrong with it?
About the proof of work, I already asked: how can I prove it to you? Rather than answering that, you just labeled me as someone who wrote anything without doing any work.
Yeah, I am not disclosing how I scanned these sites. No, it never violated Bubbleâs Terms of Service because I used publicly available data. All these leaks are due to poor developer practices rather than Bubble.
Just to give you an overall idea:
Privacy rules checks- most people forget to set privacy rules.
Data API- people leave it open.
Google Maps API- people donât domain restrict it.
API keys- people donât mark keys as private, so they are visible.
I even shared everything with the official Bubble team; they donât have any issue, as they clearly know itâs not their issue but rather poor developer practices.
@senecadatabase hope i have answer you. Let me know if you have further questions.
On most platforms, that kind of activity would likely violate the Terms of Service. Looking at a single app manually is one thing, but scanning 16,000 apps with automation moves into a grey area, mainly because youâre generating a large volume of requests against the platform.
Even if Bubble has said theyâre fine with it, that scale still raises legitimate privacy and data protection concerns in a lot of areas.
I think the info you gave is good as far as what you found.
I do understand some of the concerns about how you arrived at your findings.
Plus, as was mentioned, not disclosing your methods, I thought (after I thought about it), was a little suspicious.
Thatâs also one question I want to raise with Bubble - they should add rate limits on the Bubble server and block the IP address if someone exploits the server unnecessarily.
Iâm not blaming Bubble; I recommend they implement rate limits to stop bots from abusing their servers. I wonât disclose my method for finding the vulnerability - itâs straightforward to reproduce if you choose to investigate.
I am not trying to keep mystery or something - but I donât want to share that. Just that.
Just to give idea - Flusk also works in the same way.
The difference is that Flusk only runs scans when a developer asks it to, itâs consent-based. What you did was scan thousands of apps you donât own, unprompted. Thatâs not the same thing, and thatâs exactly why it falls into that grey area Iâve been talking about.
You exploited a Bubble loophole and now youâre saying they should fix itâŚ
and, youâre still not saying how you did it.
So, Iâll let others decide on this. I donât know what else I can say
