Why your backend workflows might be your app's biggest vulnerability

Not sure if a typo or you meant it, but I love it. I’ll be using this one.

4 Likes

Yep

1 Like

Lol it was meant to be “essential” xD

1 Like

What is even the point of this? Weird.

Higher barrier to entry for people just poking around in dev tools I guess.

But build your own lookup based on this knowledge and couple this with the fact you can publicly see the schema of the app - really the only line of defense is the privacy rules I guess. I maybe wrong though…

Imagine the amount of apps out there in which the dev either doesn’t care about privacy rules, has misconfigured them or mistakenly thinks the constraints on the “do a search for” is stopping people seeing data they shouldn’t be.

Yes, but this isn’t new knowledge.

Not suggesting it is, it’s merely my way of coming to some sort of conclusion based on the findings of being able to manually call msearch. I don’t doubt others know this.

1 Like

Yeah, it’s new public information that Bubble has things setup this way and that it’s possible to run an Msearch direct in browser console. This leads to conclusion that to protect data against bad actors, you can only rely on privacy rules for that, while ensuring all data displayed and accessible to correct users who are not bad actors, still need proper constraints.

It just brings together nicely an understanding of ensuring we have robust and complete data security as Bubble seems to have made it super simple for bad actors to access the data.


ref.

I think it’s pretty clearly documented already that your data is only secured by privacy rules, but maybe @petter might be able to adjust it to make it even more obvious that privacy rules are the only thing that restrict data access.

Anyways, for all of you who want to test and debug your app’s privacy if you didn’t realise this, then I’m building the most advanced security tool for Bubble @ https://secure.notquiteunicorns.xyz and you can do exactly this, checking your privacy rules as any user type (versus existing tools that only check logged out users):

1 Like

@georgecollier - why add a ‘Terminate this workflow’ action? Isn’t a condition on the workflow itself sufficient?

Yeah, same thing :slight_smile: Difference is likely that when using a condition on the workflow itself, it won’t return a 200 Success if using a wrong key (so using Terminate workflow avoids them even knowing easily that they’ve got the right/wrong key)

1 Like

I was just using NQU Secure to improve the app’s privacy rules and I realized that Bubble no longer shows that message: “fields xx, yy, zz, are not shown because of privacy rules”. That used to be there, correct?

With privacy rule turned on (on the right) it doesn’t show the Career Path key and it doesn’t even say that it’s hidden because of privacy rules.

1 Like

When privacy rule says something can not be found in searches, the debugger notification that indicates privacy rules are causing fields to not be available (ie: the red text indicator with list of fields affected) does not show.

All of my data is blocked by a privacy rule of company=current users company. So i think thats what hes saying.