Not showing sensitive (decrypted) user info in logs

Hi,

Im worried about a security vulnerability. I currently encrypt and store sensitive user info in the db. When I need to use it I decrypt but this decrypted value then shows in the logs.

I’m worried about my Bubble account getting hacked and then someone could see the sensitive user info in the logs.

Is there a way to remove the sensitive (decrypted) user info from the logs?

1 Like

I suggest you giving some more information about your app to get support from the community.

  • How are you encrypting/decrypting the data?
  • Are you using privacy rules?
  • Are you using any plugin for this?

Probably missing more important questions, but try to give much information as possible.

Hey @yusaney1 . Happy to give more info.

  • yes, I’m encrypting the data when I save it to the Database using the plugin AES 256 Encrypt & Decrypt (Plugins | Bubble). I then decrypt it when I need to use it to make an API call.
  • I have privacy rules set up. I believe I have it set up such that only I (the admin) can view. See attached screenshot.

This is an issue I’ve recently noticed as well. You can properly protect the data from being accessed by the end-users but any data sent through the API connector after being decrypted is viewable in the actual Bubble logs from the editor under Logs > Server Logs.

Not sure what the correct solution for this is.

We solved @andrewmccalister’s problem by tokenizing their most sensitive data within our vault and leveraging our secure solution such that the Bubble logs never see that sensitive data. More importantly, Bubble app can never get back that sensitive data while still keeping the app 100% operational!

1 Like

How do you do this?

1 Like

Hi @xtechaus - we do this by tokenizing the sensitive data and Bubble simply stores tokens. Want to see a demo? If so, please feel free to book a demo from here: https://strac.io