2023 Report: A Comprehensive Overview of the Security of the Top 100 Apps Made on Bubble.io

by

Victor Nihoul

-

Apr 24, 2023

-

🇬🇧 English

As the tech industry continues to grow and evolve, security and regulations around data privacy are becoming increasingly important. This is especially true of applications made on the no-code platform Bubble.io, which is becoming more and more popular.

However, the rise in popularity is also accompanied by an increased risk of cyber-attacks. Despite the ease of use, Bubble.io apps are not always well secured. This is due to two main factors: lack of information about best practices and no public information about existing and previous vulnerabilities/leaks.

‍In order to address this issue, Flusk has conducted a report analyzing the security of the top 100 apps made on the Bubble.io platform.

Our main aim at Flusk is to improve the security and reliability of the Bubble ecosystem. We’ve carried out over 30 security audits on the major players in the Bubble space, and what we found is that the ecosystem needs more education and tools to help make it more secure.

Our new tool, Flusk Vault, performs automated security audits on Bubble applications.
You can signup now and give it a try by following this link.‍

By looking at the situation in 2022, this report provides an overview of the security in the Bubble.io ecosystem covering the security measures currently in place, potential vulnerabilities, and remediation techniques, and will hopefully help to foster a secure, compliant, and privacy-driven ecosystem.‍

This independent study is conducted by a group of vigilant and dedicated Bubble developers with a keen interest in security, and is not affiliated with the Bubble team.

Report Methodology

For this report, we followed a methodology that evaluated the security of the top 100 most popular applications built on Bubble.io based on specific vulnerability criteria.‍

Finding the Top 100 Apps made on Bubble.io

We first collected a list of Bubble apps from different sources:

  • Technology lookup websites, namely BuiltWith and Wappalyzer
  • All apps built by agencies from the Bubble.io agency directory
  • All apps from the App of the day section in Bubble’s forum
  • All links redirecting to a Bubble app in Bubble’s forum between 2018 and 2022
  • Other minor sources such as plugin editors who shared their plugin install app URLs.‍

The following method was then used to sort apps within a Top 100:

  • Removing all deprecated apps, non-Bubble apps, or apps made by Bubble itself.
  • Removing all apps with a “free” or “agency” plan.
  • Removing all non-sensitive apps (such as landing page-only apps, or with no account capabilities)
  • For public apps, getting traffic statistics from SimilarWeb.
  • For apps built for internal use, we looked at metrics such as the company size and value.
    By internal use, we mean apps destined to be used only by a restricted group of people (such as a company) with no possibility to buy a membership or access.

Following a comprehensive analysis of 38,453 links, we were able to identify 2,640 eligible applications for the report.

→ After further sorting, our Top 100 apps consisted of 87 applications intended for public use and 13 solely for internal purposes.‍

Vulnerability Points Considered

We carried out tests on the Top 100 apps list to analyze the security points mentioned below:

  • Exposure of sensitive data via Data API leaks
  • Exposure of sensitive data due to misconfigured privacy rules and searches/data retrievals on all pages
  • Unauthorized access to restricted or non-public pages (e.g. administrator dashboards)
  • Manipulation of restricted workflows (e.g. creating users as administrators, activities related to sensitive operations on databases, etc.)
  • Unauthorized access to third-party services and APIs
  • Clear data in login workflows
  • Temporary password vulnerability
  • Unauthorized access to API endpoints‍

The tests were conducted both manually and with the assistance of our internal audit tool for complex operations (e.g. URL parameter brute-forcing, XHR scrapping, etc.).

Advanced security exploits were deliberately omitted due to the complexity of performing them on such a large dataset (e.g. key-to-path, JSON parsing, cookie exploit, etc.). The report does not include minor vulnerabilities such as database leaks with less than 50 entries or minor compromised actions.

A note on ethics

→ All actors whose applications were included in the report were notified of the vulnerabilities prior to the report’s release. We provided them with exact information on the identified vulnerabilities and offered them no-cost support in addressing them.‍

→ No data from the vulnerability was downloaded or stored on local systems, and our tool for detecting sensitive data utilizing Google Vertex AI was only configured to rely on key analysis, without exposing their values.‍

→ No actions were taken from any website through compromised access or actions that may have been restricted; instead, we only used the app’s source code to classify the sensitivity of actions triggered by potential compromised workflow triggers.‍

The Results

The findings of the study were concerning, as the report revealed that 89% of the Top 100 apps had at least one security vulnerability.

89% of the Top 100 apps showed at least a sensitive security vulnerability.‍

Sensitive data leaks

The most concerning results were found regarding sensitive data leaks.

Out of the Top 100 apps reviewed, at least 76 of them exhibited vulnerabilities.

In total, we were able to identify over 2,300,000 pieces of sensitive and personal information, including American social security numbers, passports, ID card scans, private meeting video records, etc.

Part of apps with sensitive data leaks from the Top 100 Bubble.io apps. Data that could not be identified as either sensitive or secure is referred to as “Unknown”.

We refer to sensitive data as information that is subject to legal regulations (such as GDPR, CPRA, or Data Protection Act 1998), internal private documents, or private information about users such as postal address or phone number-excluding emails.

Compromised restricted actions and access

Analysis of the Top 100 apps revealed that 53 of them had restricted access vulnerabilities, and 61 of them had compromised restricted actions.

Part of apps with compromised actions from the Top 100 Bubble.io apps. The actions that could not be classified as either sensitive or safe are referred to as “Unknown”.

This screenshot shows an example of a compromised admin dashboard with sensitive actions on the public/live database.‍

Third-Party or APIs vulnerabilities

Out of the Top 100 apps reviewed, 18 of them exhibited vulnerabilities.

Part of apps with third-party or API vulnerabilities from the Top 100 Bubble.io apps. The services that could not be classified as either sensitive or safe, or for which we could not confirm potential access are referred to as “Unknown”.

This screenshot shows an example of a compromised third-party service with full administrator access to sensitive content and actions.‍

Involved Development Actors

Among the 89 apps that exhibited vulnerabilities, we were able to identify the origin of the app development for 75 of them.

  • Approximately 92% of apps created by independent entrepreneurs or businesses had vulnerabilities.
  • Approximately 65% of apps created by Bubble agencies had vulnerabilities.
  • Approximately 82% of apps created by freelancers or independent developers had vulnerabilities.

Conclusion

Bubble.io is a secure platform that has employed strong protective measures for data security.

However, its widespread availability and intuitive user interface make it accessible to a large audience who may not have a comprehensive understanding of cybersecurity or up-to-date knowledge of data privacy regulations, which potentially leads to risks for the end-users.

This phenomenon seems further amplified by the lack of adequate information regarding security practices and a dearth of public reports regarding previous or existing vulnerabilities.

It is also necessary to correlate this observation with the exponential growth of no-code tools, and more specifically Bubble.
More and more applications are built with Bubble.io, so statistically, more and more applications have security holes. It is necessary to take measures as soon as possible in order to keep this ecosystem secure and not lose credibility.

Growth curve of the number of apps running on Bubble.io between 2013 and 2022. Source BuiltWith.

Is it, therefore, urgent to raise awareness among the different actors, including individual entrepreneurs, freelancers, and agencies.‍

Building secured Bubble application

After conducting over 30 manual audits for Bubble applications, our team has developed an innovative internal application to expedite the process. In consultation with agency owners, it became evident that a high-performance security tool could enhance their quality assurance procedures and facilitate the delivery of secure applications. Consequently, we collaborated with more than 15 agencies and over 50 Bubble freelancers to create an automated solution that replicates our manual efforts.

We recently introduced Flusk Vault, a cutting-edge tool designed to assist Bubble developers, agencies, and business owners in launching secure applications free from data breaches or compromised access points.

This screenshot shows a concrete example of Flusk Vault on a test application.

As you’ve read this study we would like to thank you for being concerned by such important topics in the Bubble ecosystem by offering a 10% discount on your first Flusk Vault license.

You can signup following this link and use the following code during checkout: “SECURITYSTUDY4800”.
Here’s a quick article about how to apply discount codes.

We also released a free book about Bubble security that will learn how to build secured applications. 80 pages of concrete examples, reviewed by Bubble and 15 experts Bubble developers: 🔗 The Bubble Security Cheat-Sheet 2023

Review by Bubble experts

We’ve submitted this report to recognized Bubble experts to know what they thought about the results and how their work can improve security on Bubble.

Petter Amlie profile picture

Petter Amlie

Petter is a well-known, recognized expert in the Bubble ecosystem. He’s the author of The Ultimate Guide to Bubble Security and The Ultimate Guide to Bubble Performance. He’s also working with Bubble on the product documentation.

What do you think about the results of this study?

“They’re sobering for sure, but not surprising. Bubble offers strong security, but it’s still fairly difficult to set up an app that addresses all potential vulnerabilities, at least compared to the ease of use of other parts of their platform. It’s a challenge that most vulnerabilities are not ignored, but developers are ignorant that they exist. Making that a high-priority conversation in the community is important.”

What do you think is the main cause of this result?

“I think there are several. Perhaps first and foremost I agree that Bubble attracts an audience that has no experience with cyber security, and it shows. They may not have any experience with design and workflow logic either, but the immediate WYSIWYG results force them to learn. Security vulnerabilities are largely invisible and very hard to be conscious of if you’re not told. Secondly, security is a low priority for a lot of companies: most change their practices after they’ve been breached, so it’s not unique to Bubble. It’s especially hard to prioritize if you’re building a startup hoping to get it to the market quickly and learning about security feels like an insurmountable challenge. It’s also a negative cycle that a lot of users are building their app while they are learning: and security is often the last thing they pick up. Turning the ship around and making changes to their app after the fact is not a tempting task.”

What solutions do you think would be effective in better securing the Bubble ecosystem?

“Awareness is obviously number one. I don’t think the large-scale hacker groups are that much aware of Bubble yet, but bot networks will surely be set up that exploit known vulnerabilities and when that happens thousands of apps could be exposed all at once: and who knows how much user data. Bubble’s docs need to keep improving, and to get new and casual Bubble users onboarded to good security practices, third-party resources like books and your auditing platform is not enough: Bubble needs to work to strengthen the awareness and help developers understand best practices early in the product development process.”

How do you contribute to the security of the Bubble ecosystem?

“My most obvious contribution I guess is the book and hopefully the work I’m doing on the manual. Security will surely be a big part of that work even if we haven’t reached that point yet in the manual development. I do coaching sessions and training/bootcamps, but the large, meaningful volume of users is reached through the books, articles and manual.”

Do you think that external security solutions (nocode:nohack, ncScale, Flusk) have their place in the ecosystem? Why?

“Very much so. Security is a work of structure and repetition: checks, and re-checks. Let’s say a system like Flusk can reveal 80% of potential vulnerabilities before every deployment — obviously that’s a lot better than 0% and even more importantly, it’s every time. Even if there are 20% corner cases that still slip through the cracks I’d say that’s still a major improvement. I’m making these numbers up to illustrate my point, but yes: if software can replace humanly managed checklists it’s guaranteed to lower the human error rate.”

If you had to give 1 safety tip to everyone who learns Bubble, what would it be?

“I’ll give you two: learn privacy rules, and learn the difference between client-side and server-side.”

Benoit De Montecler profile picture

Benoît de Montecler

Benoît is the co-founder of ncScale, the 1st tool to make your no-code reliable, secure, and maintainable.

What do you think about the results of this study?

“These results are concerning because they have worsened in one year. The volume of applications has more than doubled, and thousands of new bubblers are arriving and overlooking security for their first applications. Like any new technology, we are discovering its weaknesses little by little. This does not worry me because it follows what happened with the code. Code-based applications have just as many flaws, but developers are better equipped to monitor them unlike with no-code. New tools like Flusk or ncScale show that things are heading in the right direction.
Contrary to popular belief, good no-coders are just as rare as good developers.
It is now essential for companies to master no-code as it has become a competitive advantage. Developing 10x faster than a competitor should not come at the expense of quality, and this is now possible thanks to these new tools.”

What do you think is the main cause of this result?

“Newcomers to Bubble use this tool as they would use any other SaaS platform that prevents users from creating vulnerabilities. Thanks to its permissive approach, Bubble is very powerful in terms of customization. This is what makes it its main asset and its main weakness.”

What solutions do you think would be effective in better securing the Bubble ecosystem?

“Bubble should scan apps and be proactive about certain obvious things such as:
- Alerting when sensitive data is public
- Making unnecessary public elements private such as the list of pages, database structure, and list of third-party APIs used.
- Highlighting Bubble’s security tools, there are more and more of them which is a good sign! It started with Tinkso then ncScale and finally Flusk! This is going in the right direction, and I hope that others will come!”

How does ncScale contribute to the security and reliability of the Bubble ecosystem and the no-code industry in general?

“We have reintegrated the functionalities of our security plugin ‘nocodenohack’ into ncScale, and we have just launched alerting on Bubble logs. This allows us to monitor unauthorized behaviors in real-time, such as unauthorized access to an admin page by a user, detect errors that block users, or detect an abnormal peak in the usage of a functionality.”

If you had to give one security advice to everyone who is learning Bubble, what would it be?

“If there’s one thing to remember to secure your Bubble app, it’s that you need to design your database and set up your privacy rules at the same time! If you don’t do both in parallel, it will be difficult to secure and the risk of error is very high.”

Resources

Immediate solutions include resources from well-known actors, such as:

This report was based on a study conducted in December 2022 by Flusk.

If you would like to use or republish the contents of this article, please contact inquiries@flusk.eu for permission.

User