There’s a whole lot of discussion on X and other platforms that are discussing an active zero day that affects the entire Bubble platform. They stated they reported the bugs months ago, did a proof of concept talk and github writeup and received no response from bubble. The Github writeup with a working proof of concept was released publicly today via X. I’m not going to link the X post or Github writeup but it’s pretty easy to find.
I think it’d be great if we could get some communication from the Bubble staff on this. The researchers claim the zero day is being released publicly because Bubble failed to response to the bug report months ago.
Thanks George, saw you in the X thread there. After reading through the script and poc it looks like should only affect apps that don’t have privacy rules set. Have you tested this to confirm by chance?
what George said. This is all well documented and known.
The team is putting together a more official response in case users less familiar with our platform are worried
An indirect way that your Bubble app could be leaking is via plugins.
You know how some plugins need an API key or some other form of secrets? If the plugin author didn’t properly set this up, they could be showing up to anyone who visits your app. You can check by opening the browser’s dev console and typing app.settings.client_safe. Mind you, not every item in that list is a secret, but I would recommend you double check.
It goes without saying, don’t share your app.bubble file with anyone you don’t trust. If you must, you can sanitize it by deleting the key settings.secure.
If you have hard-coded API keys in backend actions, those will be showing in your app.bubble file.
