🎉 Introducing the most advanced security platform for Bubble for free (Bubble App Audit)

fede.bubble · 2024-12-11T16:25:54.162Z

Hi everyone, I’m stopping by to share more context related to concerns around this tool:
Bubble is definitely aware of what George is doing. We’re excited to see third-party tools like this popping up, and it’s awesome to have folks contributing to making the ecosystem better for everyone!
On the ToS concerns, don’t worry—Bubble’s got it covered. Let’s keep the conversation constructive and focus on how we can all benefit from these innovations.

lindsay_knowcode · 2024-12-11T17:55:03.626Z

Oh @fede.bubble The voice of reason

Anything that moves Bubble up the dial on security & maturity is good for everyone.

randomanon · 2024-12-12T06:36:49.648Z

fede.bubble:

On the ToS concerns, don’t worry—Bubble’s got it covered.

Hey Fede thank you for chiming in. Just to be clear, when you say this do you mean:

Bubble is aware of this and will be recommending verification before allowing a summary view

or

Bubble is aware of this and will be making a one-time exception for their own ToS

georgecollier · 2024-12-12T08:59:10.194Z

It’s Bubble’s business what they choose to do but they won’t endorse/permit anything explicitly for obvious reasons.

Don’t worry about it. Remember, if they want to shut it down, my app is built on Bubble, so the off switch is right in front of them and they’d be well within their right to hit it.

As Fede says, focus on the benefits and if Bubble has problems you know they’ll come to me about it!

——
In other news, today I’m adding a check to page redirects - not only will we check the visible contents of redirected page, but we’ll check invisible elements on a page. Invisible elements can be made visible, so well simulate that when determining if a page is secure.

randomanon · 2024-12-12T11:42:55.422Z

georgecollier:

they won’t endorse/permit anything explicitly for obvious reasons

georgecollier:

they’d be well within their right to hit it

What do you mean by these statements?

mikeloc · 2024-12-12T13:39:42.671Z

I haven’t posted in quite some time, and from the looks of this thread, I haven’t missed a thing because everything, including literally the same interaction going on here, has been done before.

@randomanon, if it helps (spoiler alert: I’m guessing it won’t), you can stop pulling at that particular thread. When Flusk did their thing, I communicated directly with Josh himself, I pointed out that what they were doing was likely against Bubble’s own terms of service, and in the end, as I predicted (yeah, tooting my own horn there, but come on, that was a pretty impressive call, if I do say so myself), Flusk got acquired.

Now, to be clear, George is definitely not Flusk, and if you read the linked thread, you will probably get what I mean. That being said, and to try to add some value here, I still believe that nobody should be able to scan an app they don’t own, regardless of what is shown to them (i.e., only a summary) as a result of the scan. @georgecollier, just another opinion for you to consider.

Anyway, that’s all I got. We now return you to history repeating itself, sans the incessant ramblings of, well, me.

Best…
Mike

rico.trevisan · 2024-12-12T13:43:45.898Z

mikeloc:

the incessant ramblings of, well, me.

That’s what makes the forum great.

georgecollier · 2024-12-12T14:56:57.269Z

mikeloc:

Anyway, that’s all I got. We now return you to your regularly-scheduled forum, sans the incessant ramblings of, well, me.

Welcome back! From the ashes, he rises…

georgecollier:

In other news, today I’m adding a check to page redirects - not only will we check the visible contents of redirected page, but we’ll check invisible elements on a page. Invisible elements can be made visible, so well simulate that when determining if a page is secure.

This has been added! In the near future, I may allow you to view screenshots of pages in your app with all of the elements forced visible so that you can see how an attacker might use hidden buttons in places like admin panels and why adding conditions to workflows is improtant.

lindsay_knowcode · 2024-12-12T16:45:09.379Z

We miss you Mike

tylerboodman · 2024-12-12T17:50:37.987Z

Hi Mike

georgecollier · 2024-12-12T20:19:11.403Z

The Visibility Scanner will shortly allow you to view any of your pages as a hacker could - with everything visible. An attacker could click any button on your page, and it’ll only be safe if protected by a workflow condition.

The purpose of this tool is to make people more likely to understand that invisible on page load does not protect your page, and conditions on workflow events are necessary.

Check out the hidden sections of the NQU Secure homepage:

CleanShot 2024-12-12 at 21.16.45

randomanon · 2024-12-13T00:00:18.611Z

mikeloc:

Now, to be clear, George is definitely not Flusk

I think this is worse because you can’t even opt out of your information being sent to third party providers like OpenAI, OpenRouter, etc. So you’re essentially streaming proprietary data you don’t have the rights to to another provider, which breaks that provider’s ToS as well. There are so many layers of illegality here, it honestly boggles the mind. Really concerning if @josh and @emmanuel are aware of the current implementation and are totally OK with it.

mikeloc:

I still believe that nobody should be able to scan an app they don’t own, regardless of what is shown to them (i.e., only a summary) as a result of the scan.

Good to see there is at least one other sane person on this forum. And of course it would be one of the legendary OGs.

Again, two simple fixes:

No summary before verification
A setting that toggles LLM-based analysis which is turned off by default (when scanning without verification)

mikeloc:

We now return you to history repeating itself, sans the incessant ramblings of, well, me.

They’re good ramblings though!

ramzizi · 2024-12-13T00:50:50.060Z

It sounds like Bubble is aware of and ok with his platform. I don’t see how it’s giving an upper hand to a hacker, prior to verification it just tells you that there are a number of issues but it isn’t detailing those issues.

randomanon · 2024-12-13T01:59:13.768Z

ramzizi:

upper hand to a hacker

Not everything is about “hackers.” This isn’t a movie. There are real-world issues around IP, competitive intelligence, and defamation.

ramzizi:

just tells you that there are a number of issues

The word “just” is doing a lot of work here. At the enterprise level, all people care about is security and compliance. You could sabotage a competitor by showing them the public results of a tool that shows “10 Critical Issues.” The crazy part here is that the words are arbitrarily defined and are not validated against any known standards, so NQU itself could be responsible for defamation. Additionally, Bubble has massive enterprise accounts itself like Seagate and others, who would definitely not be happy about a public tool that publicly claims that their platform has a number of security gaps. Overall there is massive amounts of liability, very easy fix. This is ignoring my earlier concerns about violating OpenAI’s ToS, which requires that you own the rights to any data that you enter into their API. I am not sure if you ignored that on purpose or if you just happened to miss it.

ihsanzainal84 · 2024-12-13T02:06:02.716Z

Again what’s the point on you harping on this despite knowing that Bubble has reviewed and decided to allow/endorse this project.

Some of your points are valid but what is it you want to happen?

randomanon · 2024-12-13T02:10:36.678Z

ihsanzainal84:

despite knowing that Bubble

Bubble isn’t a monolith. There are random developers, the Head of Legal, Josh/Emmanuel, etc. Who is aware and the extent to which they’re aware of what’s going on are yet unanswered questions and have implications for the future of this tool.

ihsanzainal84:

your points are valid but what is it you want to happen?

To repeat: I’m advocating for two simple fixes before any other “features” are implemented.

No scan or summary before verification
LLM analysis disabled by default (opt-in)

These would mitigate the previously discussed issues, protect users’ IP, and ensure that the tool remains viable long-term.

boston85719 · 2024-12-13T06:51:16.473Z

randomanon:

This is ignoring my earlier concerns about violating OpenAI’s ToS, which requires that you own the rights to any data that you enter into their API. I am not sure if you ignored that on purpose or if you just happened to miss it.

I think he might be aware of it

[FREE] New AI Privacy Rules Checker by Flusk

Showcase

Just a quick point - if you’re using GPT by sending the potentially sensitive data to GPT API to classify it, that may create a privacy problem as OpenAI retains that data.

randomanon · 2024-12-13T06:54:11.616Z

Slightly different, that’s the “Custom GPT” part of the API. In this case the API doesn’t retain the data, but the ToS requires that you own the data that you’re sending to it. You can’t send other people’s data/IP through their API.

But yeah it’s ironic he called it out when it was someone else making the tool.

johnny · 2024-12-13T06:57:08.285Z

Mike’s back!

georgecollier · 2024-12-13T07:09:20.602Z

As reminder, we require people own the apps they choose to scan, and if they don’t they are violating our terms of service.

Anyway, thanks for your concern, but trust I can worry about our ToS, Bubble can worry about theirs, and you can merrily carry on Bubbling

And if it really bothers you, then stop bumping the thread to the top of the forum.