Hi everyone,
I have a few questions about Bubble’s recently released security check tool.
In the Privacy Checker section, even though nothing is checked under “Everyone else (default permissions)”, it still detects some leaks.
I’m assuming this might be related to Backend Workflows that have rules like “ignore privacy rules” or “can run without being logged in”, right? Or not?
The subtitle for this section says:
“Test which fields on your data types have data that can be accessed without being logged in to your app.”
Am I missing something about how this interface works?
If I understand correctly, if there’s any personal data, the tool flags it as “not secure”?
But the title says “see if data can be accessed by users who are not logged in” — so I’m a bit confused.
Also, the privacy tests don’t return the same results between live and main, even though I have exactly the same privacy settings in both…
What are the privacy rules on your data type?
I’d strongly recommend enabling parentheses in your app’s General settings as it will help show why this privacy rule might expose data.
1 Like
But how can you explain we have difference check between live version and main
In addition, I’d recommend separating these rules to make things clearer, instead of keeping the commercial one all in a single rule.
What might be happening here is exactly the lack of parentheses, which in the “or” conditions is causing the rule to break and things to be exposed.
When using the new tool from bubble securoyt check, i have exactly the same privacy setting for live version and main, but results of the check is not the same ^^
Huhhhh What is the difference shown? That’s strange if they are the same rules.
A lot of diferences in fact for example in the number of leaked datas. thats why i asked if the tool work or not ..
The tool works by checking for actual leaks. If you have no data in one version, or no data that is leaking in one version, it won’t be detected. It checks data leaks on logged out users, not the privacy rule logic.
Yep, but I still have data in both version …
But possibly not data that is leaking, because it would only leak under certain conditions.
I can confirm — the behavior is quite weird. Even when I modify the privacy rules, run another check, or clear the data cache, nothing changes. Also, the issue isn’t the same between the live and main branches. So… I’m not sure. Have you checked on your side?
https://scan.bubble.io/dashboard
Do you want to share so we can help?
I will work on it a little bit again and let you know but thanks for asking. Have you checked this new tool ?
