Issue details

The Issue Explorer in Flusk provides a detailed list of potential security vulnerabilities in your app. In this section, we’ll break down each issue, offer suggested solutions, and provide further reading to guide you in addressing them effectively.

The issues are listed alphabetically.

Bubble API token issue

Bubble API Tokens are 32-character keys used to authenticate API calls with your Bubble app. They serve as a way to verify whether a requester has permission to access resources and workflows in your app.

A Bubble API token grants the bearer full administrative access to your app, equivalent to the level of access you have as the app builder. This means any client with the API code can

  • Read, delete or edit all your database and data types

  • Trigger all publicly exposed API Workflows

  • Override all privacy rules

Purpose

This issue is flagged to highlight the presence of an API token in your app and to remind you of the extensive access it grants. This ensures you can make an informed decision about whether to retain or remove the token based on your app’s security needs.

Clear data in login action issue

The action enables users to access your app by entering their email and password, typically through a login form where the user submits their credentials. However, Bubble also provides the option to pre-fill this data using static values, allowing you to specify the email, password, or both directly within the action.

This can lead to two vulnerabilities:

  • Unauthorized access: If the credentials (email and/or password) are hardcoded into the action, someone could potentially gain access to another user’s account, as the credentials are pre-filled in part or whole.

  • Data exposure: The static credentials entered in the action are stored in your app’s code, making them visible and potentially accessible to anyone who inspects the app’s code, posing a significant security risk.

Purpose

This issue is flagged to notify you that one or more Login actions in your app have credentials pre-filled. This setup may pose a security risk, as it could potentially lead to unauthorized access or expose sensitive information.

Data leak issue

Even with privacy rules in place, data “leaks” can occur if the rules are not properly configured. Various scenarios can lead to unintentional exposure of data, and while these might seem like rare corner cases, they are more common than you might expect.

This issue serves as a warning that Flusk was able to access data marked as sensitive while logged out, highlighting a potential gap in your app’s privacy configuration. It is not directly based on checking your privacy rules but rather on identifying exposed data during a logged-out state.

Purpose

The purpose of flagging this issue is to indicate that a non-logged-in user may have access to data marked as sensitive, potentially exposing information that should be protected.

Default username/password combination

Bubble allows you to secure the test version of your app (commonly called version-test) with a username and password. However, if you use the default credentials, there is a risk that someone could gain unauthorized access to the test version simply by guessing them.

The default username and password is username and password.

Purpose

The purpose of flagging this issue is to remind you to change the default and set your own unique credentials instead.

iFrame restriction issue

Allowing your app to be rendered as an iframe introduces several security vulnerabilities because it exposes your application to manipulation by external websites. Here’s a breakdown of the potential risks:

Clickjacking

  • What it is: An attacker embeds your app in an iframe on their website, overlaying it with invisible elements or misleading content. Users may unknowingly interact with your app, such as clicking buttons or submitting forms, without realizing the consequences.

  • Impact: This can result in unauthorized actions, such as granting permissions, transferring funds, or exposing sensitive information.

Phishing

  • What it is: By embedding your app in an iframe, an attacker can create a page that mimics your app and tricks users into entering sensitive information, like login credentials.

  • Impact: Users may believe they are interacting with your app, unknowingly providing their data to malicious actors.

Malware Distribution

  • What it is: An attacker uses an iframe to deliver malicious scripts or downloads through your app, leveraging the trust users place in your platform.

  • Impact: This can infect users’ devices, compromise their security, and damage your app’s reputation.

Content Manipulation

  • What it is: When your app is embedded as an iframe, attackers can manipulate the surrounding content to misrepresent your app or context.

  • Impact: This can lead to misinformation or defamation, harming user trust.

Session Hijacking

  • What it is: Attackers may use iframe embedding in combination with other vulnerabilities to capture session cookies or tokens.

  • Impact: This can give attackers unauthorized access to user accounts or sensitive data.

Purpose

The purpose of flagging this issue is to inform you that your app currently allows rendering as an iframe, which could expose it to vulnerabilities like the ones outlined above.

No password policy issue

Bubble allows you to set a password policy in your app, that forces all users to use a password that:

  • Have a minimum length (specified as number of characters)

  • Require at least one number

  • Require at least one capital letter

  • Require at least one non-alphanumeric character

These four options can be configured independently, allowing you to require any combination of them, from just one to all. Not enabling this feature allows users to set weak passwords, such as common dictionary words or names, which can be potentially guessed or brute-forced by malicious actors.

Purpose

The purpose of flagging this issue is to make you aware that your app currently doesn't have a password policy set.

No privacy rules defined issue

If a specific data type is not meant to be public, you need to define privacy rules to protect it. Flusk automatically identifies data types that don't have privacy rules set up, based on:

  • Fields that are defined as sensitive by Flusk's prediction model, or

  • Field that have been manually set to sensitive by you

You can read more about how to set field sensitivity in the article below:

Article: Flusk database rating

Purpose

The purpose of flagging this issue is to identify data types that have sensitive fields, but are not protected by privacy rules.

Page access protection issue

Flusk currently evaluates pages in two ways:

  • Public: pages that can be accessed by anyone

  • Sensitive: pages that can only be accessed by logged-in users

If a page is sensitive, it should contain an action that uses server-side redirection to redirect users to a different page, such as a front page or 404 page.

Purpose

The purpose of flagging this issue is to identify sensitive pages that don't have a proper redirect action.

Public Bubble editor issue

Bubble provides the option to open your app editor to other users, allowing them to view and/or edit your application. This feature can be helpful for showcasing the editor publicly or collaborating with others to resolve specific issues.

However, granting open access to your app editor poses a significant security risk. It provides unrestricted access to all aspects of your app, including sensitive data, workflows, and settings, which can expose your app to potential vulnerabilities or misuse.

Purpose

The purpose of flagging this issue is to make you aware that your app is currently allowing anyone to view and/or edit the app.

Public file uploader issue

Just like the data in your database, uploaded files can be secured using privacy rules. These rules ensure that even if someone obtains the file’s URL, they cannot access the file unless the privacy rules explicitly grant them permission.

This rule needs to be set both in the privacy rules, and the relevant file uploader element, making it easier to miss.

Purpose

This issue is flagged to inform you that one or more file uploaders in your app are currently set to upload files without the protection of privacy rules, potentially leaving them accessible to unauthorized users.

Public picture uploader issue

Just like the data in your database, uploaded images can be secured using privacy rules. These rules ensure that even if someone obtains the file’s URL, they cannot access the file unless the privacy rules explicitly grant them permission.

This rule needs to be set both in the privacy rules, and the relevant picture uploader element, making it easier to miss.

Purpose

This issue is flagged to inform you that one or more picture uploaders in your app are currently set to upload files without the protection of privacy rules, potentially leaving them accessible to unauthorized users.

Public sensitive fields issue

Privacy rules consist of two types of rules:

  • Dynamic rules: these are the rules that you set up using dynamic expressions. Each rule grants access to one or more users, based on field stored on the relevant data type, and/or the user.

  • Everyone else: the everyone else rule defines what everyone who don't match any of the dynamic rules should have access to.

Privacy rules operate in a way where the most “permissive” rule takes precedence over others. This means that if the everyone else rule grants access to sensitive data in searches or fields, that data will be accessible to everyone, even if more restrictive dynamic rules are in place.

Purpose

This issue is flagged to highlight any instances where the Everyone else rule is set to allow users to View all fields. This setting could unintentionally expose sensitive data to unauthorized users, bypassing the more restrictive privacy rules you may have configured.

Public sensitive parameter in API call issue

This issue is flagged when a public parameter is identified as potentially sensitive.

Since sensitivity is determined by Flusk’s prediction model, there may occasionally be inaccuracies. If you believe this parameter is not sensitive, you can choose to disregard this issue.

Sensitive parameters often include items like API keys, private unique IDs, endpoints, or any other information you would prefer to keep private.

Purpose

This issue is flagged to alert you that at least one parameter in your API Connector calls is not set to Private, making it visible and potentially exploitable.

Public sensitive URL in API call issue

By default, the endpoints specified in your API calls are not private and can be accessed by anyone who knows their location.

This may not pose a significant risk when working with third-party services that require additional authentication to access data. However, it can become a security concern when calling an endpoint that does not require authentication, as it may expose sensitive information or functionality.

Flusk leverages AI to identify API endpoints that may be sensitive. However, it’s a good practice to review all URL endpoints in your app, even those not flagged by Flusk, to ensure they don’t inadvertently expose sensitive information or functionality.

Purpose

The purpose of flagging this issue is to make you aware that Flusk's AI model has identified at least one URL endpoint that can be made more secure by hiding it.

Public Swagger file issue

Activating the Bubble API allows external systems to interact with your application through various queries. Swagger provides a way for your API to describe itself automatically, enabling other systems to understand its structure and available queries.

While the Swagger file is not inherently a security vulnerability, hiding it is a form of obfuscation. Obfuscating the Swagger file can make it slightly more challenging for an unauthorized user to identify and access your API endpoints, adding an extra layer of complexity for potential intruders.

Article section: What is the Swagger specification?

Temporary password vulnerability issue

The action allows you to generate a new password for a user, enabling them to log in to their account and update it with a personal, unique password. However, if this action is executed client-side, there is a risk that the randomly generated password will be visible in the Network tab of your browser's Developer Tools.

Purpose

The purpose of flagging this issue is to highlight instances in your app where a randomly generated string is being used in conjunction with the Assign a Temporary Password to a User action. This setup could potentially expose the temporary password to unauthorized access, increasing the risk of it being intercepted or stolen.

Test version protection issue

This issue only appears if you are on a paid plan, as the free plan doesn't support password protecting version-test.

Bubble provides two distinct environments for your app: Test and Live. The Test environment is designed for previewing and testing your app during development, allowing you to experiment and refine features. The Live environment is what your end-users interact with — it represents your fully deployed and operational app.

The test version of your app can be password protected, and we strongly recommend doing this.

Purpose

This issue is flagged to inform you that the test version of your app is not password protected, allowing anyone with the URL to access it.

Unapproved collaborator issue

Bubble allows you to add collaborators to your app, enabling efficient teamwork and problem-solving during development. However, retaining collaborators indefinitely can pose a security risk.

Flusk helps mitigate this risk by letting you mark collaborators as approved or unapproved, ensuring you maintain control over who has access to your app over time.

Purpose

The purpose of flagging this issue is to identify non-approved collaborators that still have acess to your app.

Unsafe Google Maps API Token Issue

To integrate Google Maps into your Bubble app, you’ll need to input a Google Maps API key into the Bubble editor. Keep in mind that this API key is publicly accessible, which means it could potentially be discovered and misused by unauthorized individuals.

Purpose

The purpose of flagging this issue is to notify you that your Google Maps API key is not restricted to your app’s domain, which leaves it vulnerable to potential misuse by unauthorized parties.

Unprotected API Workflow issue

The Bubble API allows you to set up API workflows that can be triggered either by your app or external clients, such as other systems or applications. However, if an API workflow is configured to run without requiring authentication, it can be executed by anyone who knows the endpoint. This can create a potential security vulnerability, as unauthorized entities could exploit it to interact with your app.

Purpose

The purpose of flagging this issue is to notify you that one or more of your API workflows have the This workflow can be run without authentication option enabled. This setting allows anyone with the endpoint URL to execute the workflow, potentially exposing your app to unauthorized access.

Last updated

#829: Flusk: more detailed Issue Descriptions

Change request updated