Suspicious POST being performed automatically to dubious URL

I was looking at my console log in Google Chrome when I noticed something very suspicious…

Sem título714×257 14 KB

I thought it might be related to a plugin, so I created a blank page. And yet the error appeared in my console…

I found a recent post by @rico.trevisan talking about something I think is related, but I couldn’t connect the dots, since, in my case, I don’t have any PayPal plugin and the page in question has absolutely nothing…

This somehow seems to be related to @ZeroqodeSupport as I also found this in their forum:

But I also don’t have any “Text File Conjurer” plugin…

Have you taken a look at your logs? I find it strange since I haven’t installed any plugins recently…

Yes that is because of Zeroqode’s plugins (it seems the older versions) in the global shared section on every page. They still host the file but it appears their domain name ran out and/or they stopped this practice which is why you see the POST request failure.

image1969×463 47.7 KB

It was/is spyware that sends information to their servers about your user’s browser, device, your app name, your app plan, what version it is, etc.

If you go to that URL you can see the script that it imports and runs on everyone’s browsers. It is highly obfuscated code

https://plst237.s3.amazonaws.com/plst.js

If you ask GPT to analyze it and de-obfuscate it can explain more.

Thanks Tyler!

This is terrible. Very worrying…
Is there any way to remove this manually? Or only themselves?

@ZeroqodeSupport what is going on!?

Check if you have any updates available for your ZQ plugins, there is a chance it is gone. I had to go to an older version to take that screenshot

The console or network tab might even show the plugin unique id involved and you can put it here https://bubble.io/plugin/[uuid]

Yes just checked, under the Network tab you can find the plst error then go to Payload and the POST body is there, it also sends all the plugins used in your app

Time to cleanup those ZC plugins…

This is not enough to test without plugin because some of them will add header to all page, not just when you add plugin element to a page (bad plugin design from my point of view). You need to preview in safe mode.

Wondering if they have declared it as requested from Bubble since almost a year now I think.

This must be why I’m always seeing this in a client app related to pdf conjurer

plst.js was a tracking script used by Zeroqode. @rico.trevisan identified the script and I located where it sent data to. plst = plug-in stats

It was sending to a Bubble app and tracking the user data e.g IP/app/device.

Of course, being Zeroqode, their stats app has no privacy rules so the logs were public.

Since then, they say they’ve disabled it so stuff is no longer tracked.

Hi everyone,

Thanks a lot for tagging us here

We’ve noted the reports and are currently checking this with our development team. As soon as we have more details, we’ll share a full explanation in this thread.

If the team needs any additional information to investigate further, we’ll make sure to request it here as well.

Thank you for your patience and cooperation while we review this.

Best regards,
Zeroqode Support Team

Support Team
Browse all Zeroqode Plugins for Bubble

Nice… found it. Apparently it’s from the Air Calendar (Full Calendar) plugin…

image782×245 11.4 KB

In addition to the plugin code, the POST is also passing the list of all plugins installed in the application…

Well, that’s the case… but honestly, I didn’t think a plugin could do that on pages where it doesn’t even exist…

I took a look again and this is the data that was stored (publicly) by them:

• App plan
• Browser
• Page
• Domain
• Plugins installed on app

So this part wasn’t quite true (directly, at least)

They had an API call set up with Clay.com that would presumably send the domain used to Clay for marketing reasons.

FWIW I don’t think ZQ was being malicious at all, probably just a bit naive re. data privacy regulations and communicating the tracking.

Yes, I don’t think they were doing it maliciously, but I thought it was wrong. I didn’t like knowing that I was sending them data related to plugins that weren’t even theirs, without my authorization or prior consent.

That is the problem. Data protection laws exist for these reasons.

Hi everyone,

We’d like to clarify this point after checking with our dev team.

The POST request you’ve noticed was related to an old analytics script that existed back when there weren’t yet established guidelines around this. Even then, the script only collected publicly available information and never touched private app data.

This code has been removed a long time ago and is no longer present in any of our current plugin versions.
If you’re using Zeroqode plugins in your app, we recommend updating them to the most recent versions to ensure you’re fully on the latest builds, which contain these improvements.

To reassure everyone again:

• No personal or sensitive data was ever collected.
• The legacy code has been fully removed.
• Current plugin versions make no such requests.

We appreciate the community for flagging this, and we’re always open to feedback that helps us improve our products and keep things fully transparent.

Best regards,
Support Team
Browse all Zeroqode Plugins for Bubble

My take.

The explanation is very vague.

I looked at the script…it’s heavily obfuscated, which is a red flag.

At the very least, Bubble should issue you a warning

I wonder if it is partially the reason why every plugin dev had to disclose YES or NO if it uses your data. Either way it is clear what it was doing and at least it is gone now

Everyone that knows how to code knows there are easier ways to do what they were doing now. Easier and less detectable.

Which is why I think it’s necessary to give a warning.

It was