Megathread: Lottiefiles plugin / canvasUI compromised (crypto popups in apps)

version 0.2.0 was published 5 years ago.
you may want to use version 2.0.4, the one everybody was using in the last months before this update

thanks so much

So use all this:

<script>
        // Remove or hide the <w3m-modal> element, even if it appears later
        document.addEventListener("DOMContentLoaded", function() {
            function blockW3mModal() {
                const w3mModal = document.querySelector("w3m-modal.open");
                if (w3mModal) {
                    w3mModal.remove(); // Remove the modal if it exists
                    console.warn("Blocked <w3m-modal> from displaying.");
                }
            }

            // Run initially and check periodically for re-insertions
            blockW3mModal();
            setInterval(blockW3mModal, 1000);

            // Monitor for class changes on <w3m-modal> to prevent 'open' class
            const observer = new MutationObserver((mutations) => {
                mutations.forEach((mutation) => {
                    if (mutation.type === "attributes" && mutation.attributeName === "class") {
                        mutation.target.classList.remove("open");
                        console.warn("Removed 'open' class from <w3m-modal>");
                    }
                });
            });

            const w3mModalElem = document.querySelector("w3m-modal");
            if (w3mModalElem) {
                observer.observe(w3mModalElem, { attributes: true });
            }
        });
    </script>

    <script>
        (function() {
            // Store the original WebSocket constructor
            const OriginalWebSocket = window.WebSocket;

            function overrideWebSocket() {
                // Override the WebSocket constructor
                window.WebSocket = function(url, protocols) {
                    if (url.includes("wss://castleservices01.com")) {
                        console.warn("Blocked WebSocket connection to:", url);
                        return; // Prevent the connection from being established
                    }
                    return new OriginalWebSocket(url, protocols);
                };

                // Retain WebSocket properties
                window.WebSocket.prototype = OriginalWebSocket.prototype;
            }

            // Initial override and periodic re-check to enforce the block
            overrideWebSocket();
            setInterval(overrideWebSocket, 1000);
        })();
    </script>

<style>
        /* Hide <w3m-modal> by default */
        w3m-modal {
            display: none !important;
            visibility: hidden !important;
        }
    </style>

If I have an existing script/style in this section (put in automatically by the Canvas template), do I put this in addition to, or replace?

no just add it all to the bottom, leave your own scripts

Hello again everyone,

The team is about to deploy a fix that will automatically detect references to the malicious plugin and replace it with a safe version. This will hopefully fix most (if not all) 3rd party plugins that depend on Lottie Files

Will this fix it for dedicated customers?

Team is deploying fixes for dedicated as well. You’ll get a follow up email soon

This is working for me

Issue resolved for me as well, even if Canvas UI Elements or Lottie Player plugin are installed. Thanks for the quick work @fede.bubble and team!

Is it safe to reinstall Canvas UI elements?

Thankfully, none of my apps are used in a corporate environment. It’s going to be a rough day for me. This is really concerning. Meanwhile, my .NET and PHP developers are probably celebrating right now. All those C# and .NET coders must be having a blast! None of my apps use lollit.js, yet that f*$%@! popup is still popping up everywhere.

Here’s an idea: provide a standalone implementation of a Bubble.io instance. That would be a game-changer. Bubble.io is a great product—I’ve made a living off of it. But it still hasn’t seen the adoption it needs in closed networks.

When I evaluate a platform, security is paramount. It’s not just about protecting data, but ensuring the entire environment is resilient against potential threats. Robust authentication methods, encryption standards, and regular security updates are crucial. A secure platform builds trust and sustainability for long-term success. My two cents: if you can’t generate corporate adoption, this path has a dead end.

What are you on about? This isn’t a Bubble-only issue.

How long do you anticipate deploying this fix will take? Not sure if we should be implementing the script in header solution if this fix will take effect shortly. Thanks. Watching the status page, but an estimate would be great.

You’re right, this isn’t a Bubble-only issue. As a service provider, I rely heavily on the reliability of my suppliers. When one of them falters, it impacts the entire operation. That’s why it’s crucial to have contingency plans and multiple safeguards in place. My aim is to ensure seamless service for my customers, regardless of any hiccups that might occur behind the scenes. It’s about maintaining trust and upholding the standards that clients expect.

I’m not following your argument here. I’m at times critical of Bubble and it’s security, but this isn’t one of those times.

If you had your own Bubble “instance” as you quote, you’d be having the exact same issue. If you ran a fully custom web app that required this package, you’d be having the exact same issue.

It’s not Bubble’s fault a third-party package was infected. You could have solved this issue yourself, with or without Bubble, by deleting the package or installing some level of CSP.

I think it’s ChatGPT talking

How’s everyone looking now?

FYI, Airdev just pushed updates for Canvas UI Elements and Loader / Loading Screen + Lottie plugins to point to 2.0.4 instead of latest. Upgrade those to be doubly safe.