Issue details | Bubble Docs

Bubble API Tokens are 32-character keys used to authenticate API calls with your Bubble app. They serve as a way to verify whether a requester has permission to access resources and workflows in your app.

A Bubble API token grants the bearer full administrative access to your app, equivalent to the level of access you have as the app builder. This means any client with the API code can

Read, delete or edit all your database and data types
Trigger all publicly exposed API Workflows
Override all privacy rules

Purpose

This issue is flagged to highlight the presence of an API token in your app and to remind you of the extensive access it grants. This ensures you can make an informed decision about whether to retain or remove the token based on your app’s security needs.

The action enables users to access your app by entering their email and password, typically through a login form where the user submits their credentials. However, Bubble also provides the option to pre-fill this data using static values, allowing you to specify the email, password, or both directly within the action.

This can lead to two vulnerabilities:

Unauthorized access: If the credentials (email and/or password) are hardcoded into the action, someone could potentially gain access to another user’s account, as the credentials are pre-filled in part or whole.
Data exposure: The static credentials entered in the action are stored in your app’s code, making them visible and potentially accessible to anyone who inspects the app’s code, posing a significant security risk.

Purpose

This issue is flagged to notify you that one or more Login actions in your app have credentials pre-filled. This setup may pose a security risk, as it could potentially lead to unauthorized access or expose sensitive information.

Even with privacy rules in place, data “leaks” can occur if the rules are not properly configured. Various scenarios can lead to unintentional exposure of data, and while these might seem like rare corner cases, they are more common than you might expect.

This issue serves as a warning that Flusk was able to access data marked as sensitive while logged out, highlighting a potential gap in your app’s privacy configuration. It is not directly based on checking your privacy rules but rather on identifying exposed data during a logged-out state.

Purpose

The purpose of flagging this issue is to indicate that a non-logged-in user may have access to data marked as sensitive, potentially exposing information that should be protected.

This issue highlights that sensitive data is accessible to non-logged-in users, but it is not tied to any specific privacy rule misconfiguration. While we provide potential solutions in this section, it’s important to note that not all scenarios may be covered. We strongly recommend reviewing our comprehensive guide on privacy rules to help identify and resolve the issue.

Possible causes

Privacy rules that are always true: be mindful of privacy rules that always return a true value. To illustrate with a very basic example Current user is current user would always return a true value.
Not taking empty values into account: Many privacy rules function by comparing a field on a data type to a field on the user. For instance, you might create a rule like This Task’s Company is Current User’s Company. This ensures that only tasks belonging to the current user’s company are accessible.
However, for non-logged-in users, the Company field on the user is empty. If there are tasks in your database where the Company field is also empty, those tasks may become accessible to non-logged-in users (or logged-in users with an empty Company field). While this scenario should ideally never occur, it’s good practice to add an additional safeguard to your dynamic expression. For example:
This Task’s Company is Current User’s Company and Current User’s Company is not empty.
This extra step ensures that tasks are only accessible when the user has a valid company assigned, reducing the risk of unintended exposure.
Not checking if the user is logged in: To add an additional layer of security, you can also check that the current user is actually logged in. Expanding on the example above, the privacy rule may look like this: This Task’s Company is Current User’s Company and Current User’s Company is not empty and current user is logged in.

Troubleshooting

Data leaks only appear in one version of my app:
- Privacy rules differ between the development and live versions of your app. To ensure consistency, you need to deploy your app to make the test version live and synchronize the privacy rules.
- Additionally, discrepancies between the databases in the live and test environments can affect Flusk’s ability to identify issues. For example, if your test version has an empty database, Flusk cannot detect potential data leaks and will not flag this as an issue. It’s important to verify both versions to ensure your privacy rules and data are correctly aligned.
My issue is still not resolved. What can I do? If the Data Leak issue persists even after synchronizing your privacy rules and deploying the app, here are a few additional steps you can take to resolve it:
- Run a fresh security test from the Flusk dashboard
- To verify the data and have a visual overview of the data leaking from your app, we suggest running a Privacy Rules Checker test from the Flusk dashboard.
- Advanced; If you still can't find the solution to your problem, you can duplicate your app (including database content) and open the Data API to see the leaking data and troubleshoot more easily.

Learn more

To learn more about how privacy rules, check out the article below:

Article: Protecting data with privacy rules

Bubble allows you to secure the test version of your app (commonly called version-test) with a username and password. However, if you use the default credentials, there is a risk that someone could gain unauthorized access to the test version simply by guessing them.

The default username and password is username and password.

Purpose

The purpose of flagging this issue is to remind you to change the default and set your own unique credentials instead.

This issue will be triggered if:

The test version username and password of your app is set to username and password.

Allowing your app to be rendered as an iframe introduces several security vulnerabilities because it exposes your application to manipulation by external websites. Here’s a breakdown of the potential risks:

Clickjacking

What it is: An attacker embeds your app in an iframe on their website, overlaying it with invisible elements or misleading content. Users may unknowingly interact with your app, such as clicking buttons or submitting forms, without realizing the consequences.
Impact: This can result in unauthorized actions, such as granting permissions, transferring funds, or exposing sensitive information.

Phishing

What it is: By embedding your app in an iframe, an attacker can create a page that mimics your app and tricks users into entering sensitive information, like login credentials.
Impact: Users may believe they are interacting with your app, unknowingly providing their data to malicious actors.

Malware Distribution

What it is: An attacker uses an iframe to deliver malicious scripts or downloads through your app, leveraging the trust users place in your platform.
Impact: This can infect users’ devices, compromise their security, and damage your app’s reputation.

Content Manipulation

What it is: When your app is embedded as an iframe, attackers can manipulate the surrounding content to misrepresent your app or context.
Impact: This can lead to misinformation or defamation, harming user trust.

Session Hijacking

What it is: Attackers may use iframe embedding in combination with other vulnerabilities to capture session cookies or tokens.
Impact: This can give attackers unauthorized access to user accounts or sensitive data.

Purpose

The purpose of flagging this issue is to inform you that your app currently allows rendering as an iframe, which could expose it to vulnerabilities like the ones outlined above.

Bubble allows you to set a password policy in your app, that forces all users to use a password that:

Have a minimum length (specified as number of characters)
Require at least one number
Require at least one capital letter
Require at least one non-alphanumeric character

These four options can be configured independently, allowing you to require any combination of them, from just one to all. Not enabling this feature allows users to set weak passwords, such as common dictionary words or names, which can be potentially guessed or brute-forced by malicious actors.

Purpose

The purpose of flagging this issue is to make you aware that your app currently doesn't have a password policy set.

If a specific data type is not meant to be public, you need to define privacy rules to protect it. Flusk automatically identifies data types that don't have privacy rules set up, based on:

Fields that are defined as sensitive by Flusk's prediction model, or
Field that have been manually set to sensitive by you

You can read more about how to set field sensitivity in the article below:

Article: Flusk database rating

Purpose

The purpose of flagging this issue is to identify data types that have sensitive fields, but are not protected by privacy rules.

Flusk currently evaluates pages in two ways:

Public: pages that can be accessed by anyone
Sensitive: pages that can only be accessed by logged-in users

If a page is sensitive, it should contain an action that uses server-side redirection to redirect users to a different page, such as a front page or 404 page.

Purpose

The purpose of flagging this issue is to identify sensitive pages that don't have a proper redirect action.

Bubble provides the option to open your app editor to other users, allowing them to view and/or edit your application. This feature can be helpful for showcasing the editor publicly or collaborating with others to resolve specific issues.

However, granting open access to your app editor poses a significant security risk. It provides unrestricted access to all aspects of your app, including sensitive data, workflows, and settings, which can expose your app to potential vulnerabilities or misuse.

Purpose

The purpose of flagging this issue is to make you aware that your app is currently allowing anyone to view and/or edit the app.

Just like the data in your database, uploaded files can be secured using privacy rules. These rules ensure that even if someone obtains the file’s URL, they cannot access the file unless the privacy rules explicitly grant them permission.

This rule needs to be set both in the privacy rules, and the relevant file uploader element, making it easier to miss.

Purpose

This issue is flagged to inform you that one or more file uploaders in your app are currently set to upload files without the protection of privacy rules, potentially leaving them accessible to unauthorized users.

Just like the data in your database, uploaded images can be secured using privacy rules. These rules ensure that even if someone obtains the file’s URL, they cannot access the file unless the privacy rules explicitly grant them permission.

This rule needs to be set both in the privacy rules, and the relevant picture uploader element, making it easier to miss.

Purpose

This issue is flagged to inform you that one or more picture uploaders in your app are currently set to upload files without the protection of privacy rules, potentially leaving them accessible to unauthorized users.

Privacy rules consist of two types of rules:

Dynamic rules: these are the rules that you set up using dynamic expressions. Each rule grants access to one or more users, based on field stored on the relevant data type, and/or the user.
Everyone else: the everyone else rule defines what everyone who don't match any of the dynamic rules should have access to.

Privacy rules operate in a way where the most “permissive” rule takes precedence over others. This means that if the everyone else rule grants access to sensitive data in searches or fields, that data will be accessible to everyone, even if more restrictive dynamic rules are in place.

Purpose

This issue is flagged to highlight any instances where the Everyone else rule is set to allow users to View all fields. This setting could unintentionally expose sensitive data to unauthorized users, bypassing the more restrictive privacy rules you may have configured.

This issue is flagged when a public parameter is identified as potentially sensitive.

Since sensitivity is determined by Flusk’s prediction model, there may occasionally be inaccuracies. If you believe this parameter is not sensitive, you can choose to disregard this issue.

Sensitive parameters often include items like API keys, private unique IDs, endpoints, or any other information you would prefer to keep private.

Purpose

This issue is flagged to alert you that at least one parameter in your API Connector calls is not set to Private, making it visible and potentially exploitable.

By default, the endpoints specified in your API calls are not private and can be accessed by anyone who knows their location.

This may not pose a significant risk when working with third-party services that require additional authentication to access data. However, it can become a security concern when calling an endpoint that does not require authentication, as it may expose sensitive information or functionality.

Flusk leverages AI to identify API endpoints that may be sensitive. However, it’s a good practice to review all URL endpoints in your app, even those not flagged by Flusk, to ensure they don’t inadvertently expose sensitive information or functionality.

Purpose

The purpose of flagging this issue is to make you aware that Flusk's AI model has identified at least one URL endpoint that can be made more secure by hiding it.

There are two different solutions to this issue:

Solution 1: Hide the URL

To secure the URLs in your API calls, you can implement a workaround by defining the endpoint URL as a private parameter within the API call. This approach conceals the URL and helps to keep it private, reducing the risk of exposure.

Here's an example:

Before:

In this example, we already have a parameter set up (param1), but the URL is not concealed.

After:

By replacing the URL with a parameter (in this case we've called it URL), you can store the URL as a hidden parameter instead. Make sure to check Private to hide the parameter. This way, it will not show up in your app's codebase.

Solution 2: Ignore the issue

If you don't consider the URL sensitive, you can click the Ignore button in Flusk's Issue explorer to not see it again.

Activating the Bubble API allows external systems to interact with your application through various queries. Swagger provides a way for your API to describe itself automatically, enabling other systems to understand its structure and available queries.

While the Swagger file is not inherently a security vulnerability, hiding it is a form of obfuscation. Obfuscating the Swagger file can make it slightly more challenging for an unauthorized user to identify and access your API endpoints, adding an extra layer of complexity for potential intruders.

Article section: What is the Swagger specification?

The action allows you to generate a new password for a user, enabling them to log in to their account and update it with a personal, unique password. However, if this action is executed client-side, there is a risk that the randomly generated password will be visible in the Network tab of your browser's Developer Tools.

Purpose

The purpose of flagging this issue is to highlight instances in your app where a randomly generated string is being used in conjunction with the Assign a Temporary Password to a User action. This setup could potentially expose the temporary password to unauthorized access, increasing the risk of it being intercepted or stolen.

Bubble provides two distinct environments for your app: Test and Live. The Test environment is designed for previewing and testing your app during development, allowing you to experiment and refine features. The Live environment is what your end-users interact with — it represents your fully deployed and operational app.

The test version of your app can be password protected, and we strongly recommend doing this.

Purpose

This issue is flagged to inform you that the test version of your app is not password protected, allowing anyone with the URL to access it.

We strongly recommend always password-protecting your test version, to make sure that no one can access it without authenticating.

Solution

Navigate to Settings - General.
Locate Limit access to this app in run mode with a username and password under Privacy & security, and check the box
Provide a username and password different from the default username and password.

Bubble allows you to add collaborators to your app, enabling efficient teamwork and problem-solving during development. However, retaining collaborators indefinitely can pose a security risk.

Flusk helps mitigate this risk by letting you mark collaborators as approved or unapproved, ensuring you maintain control over who has access to your app over time.

Purpose

The purpose of flagging this issue is to identify non-approved collaborators that still have acess to your app.

To integrate Google Maps into your Bubble app, you’ll need to input a Google Maps API key into the Bubble editor. Keep in mind that this API key is publicly accessible, which means it could potentially be discovered and misused by unauthorized individuals.

Purpose

The purpose of flagging this issue is to notify you that your Google Maps API key is not restricted to your app’s domain, which leaves it vulnerable to potential misuse by unauthorized parties.

The Bubble API allows you to set up API workflows that can be triggered either by your app or external clients, such as other systems or applications. However, if an API workflow is configured to run without requiring authentication, it can be executed by anyone who knows the endpoint. This can create a potential security vulnerability, as unauthorized entities could exploit it to interact with your app.

Purpose

The purpose of flagging this issue is to notify you that one or more of your API workflows have the This workflow can be run without authentication option enabled. This setting allows anyone with the endpoint URL to execute the workflow, potentially exposing your app to unauthorized access.

There are two ways to solve this issue:

Solution 1: Enable authentication on the workflow

If the workflow doesn't need to be executable without authentication, you can disable this option.

Navigate to the backend workflow editor.
Locate the API workflow.
Uncheck This workflow can be run without authentication.

Note that some requests, such as webhooks, may still need to be able to access the workflow. If so, use the method below.

Solution 2: Set up a private Bubble API key

If a client needs to access the workflow but cannot log in as a regular user (such as for webhooks), consider securing the workflow by requiring a Bubble API key. This adds an additional layer of security while allowing external systems to interact with your app.

Navigate to Settings - API. You will see a button called "Create a new API Token".
Click it and give the API key a descriptive name (such as the name of the webhook client, e.g. "Stripe").
You will now see your private key generated randomly by Bubble.
Add this key to the endpoint that the webhook needs to access, such as: https://yourappid.bubbleapps.io/version-live/api/1.1/wf/your-endpoint?api_token=XXX(where XXX represents the code you just generated)
Uncheck This workflow can be run without authentication.

Bubble API token issue

Purpose

Solutions

Learn more

Clear data in login action issue

Purpose

Solution

Learn more

Data leak issue

Purpose

Possible causes

Troubleshooting

Learn more

Default username/password combination

Purpose

iFrame restriction issue

Purpose

Solution

No password policy issue

Purpose

Solution

No privacy rules defined issue

Purpose

Solution 1: Set up privacy rules

Solution 2: Change the rating of the data type

Learn more

Page access protection issue

Purpose

Solution 1: Set up a server-side redirect

Solution 2: Change the rating of the page

Learn more

Public Bubble editor issue

Purpose

Solution

Learn more

Public file uploader issue

Purpose

Learn more

Public picture uploader issue

Purpose

Learn more

Public sensitive fields issue

Purpose

Solution 1: Edit your privacy rules

Solution 2: Change the rating of the data type

Learn more

Public sensitive parameter in API call issue

Purpose

Field is not sensitive

Set parameter to private

The parameter needs to be dynamic

Learn more

Public sensitive URL in API call issue

Purpose

Solution 1: Hide the URL

Solution 2: Ignore the issue

Public Swagger file issue

Solution

Learn more

Temporary password vulnerability issue

Purpose

Solution

Learn more

Test version protection issue

Purpose

Solution

Unapproved collaborator issue

Purpose

Solution 1: Mark the collaborator as approved

Solution 2: Remove the collaborator(s)

Unsafe Google Maps API Token Issue

Purpose

Solution

Unprotected API Workflow issue

Purpose

Solution 1: Enable authentication on the workflow

Solution 2: Set up a private Bubble API key