Templates Plugins Courses

AWS File Uploader and security hack

Hello and Thank You for taking time to review my post!

My company’s web services platform was created using Bubble.io.

Bubble allows people to create web services without code and third parties to create ‘plugins’ that help achieve a given end result.

In my case, I’m using a plugin called ‘AWS File uploader - Any File Size’ by Zerocode.

SEE:
AWS File uploader

Zerocode

Here is our problem…

We use the plugin above to allow customers to upload pdf documents into their user accounts. Additionally, we offer a ‘lock’ feature. When the lock is open the document is viewable by the public. If the lock is in a closed position then only the owner of the account can view the pdf when logged into their account.

We have come across a situation that if the URL for the pdf document is ever learned or made known at any time then the pdf can be accessed publicly regardless of whether or not the lock is open or closed.

I have written to Zerocode about this and asked if there is a way this can be corrected?

Zerocode responded as follows:

Hi John,

Thanks for reaching out and using our products. Unfortunately, it is not possible to make any adjustments at plugin level because our AWS File Uploader is simply uploading your files to the S3 bucket.

I think this is something to be implemented at Bubble level, meaning the app logic itself. So you if want to make it only accessible to platform owner when logged in, you can set any conditions for file’s URL or any other logic you desire.

However, if you wonder if there is a possibility to set any sort of restrictions/permissions on your S3 bucket, perhaps the following resources will be helpful:

https://aws.amazon.com/ru/premiumsupport/knowledge-center/secure-s3-resources/

https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html

You can set your S3 bucket as public or private.

Hope it helps.

Zerocode

On top of this my Bubble.io developer added:

"The update is about making bucket private… but not related to auth of the url. https://docs.zeroqode.com/plugins/aws-file-uploader-plugin

Check Permission Box https://docs.zeroqode.com/plugins/aws-file-uploader-plugin#permissions

In Bubble file storage (that also use AWS), they have a « private » checkbox that limit access to a specific user. But this is probably a script that process something on AWS side I guess but this is a part that I don’t know how this work. And yes, this is something to manage on AWS side. This is AWS that allow or not the access to url."

An AWS certified expert has taken a look already at this. However, he believed he did not have the skillset to fix the issue. He stated:

"While I think we’re on the right track here, I think you may be well suited talking to an AWS developer. The last thing I would want to do is hold you up on a timeline. I walked through the documentation step by step and this should be working the way we want now but I’m still having instances where I can copy/paste into another tab/window. I think we’re making slight progress because I am able to paste into another browser and it doesn’t let me access but the solution isn’t 100%. I’m happy to connect when you’re back and I apologize I don’t have a more definitive solution at the moment but I want to be upfront with you and respectful of your time. The last thing that would be helpful is possibly seeing the dev view/access of your front end. Maybe there’s something there holding this back but everything seems to be as it should be on the S3 side per zeroqode’s documentation.

Yet another developer said this:

if you want to modify permissions on an object level instead of a bucket level, you need to use the ACL. If you set the ACL properly it doesn’t matter if a visitor has a URL or not, they won’t be able to see it.

I would like to learn what is the best way to secure the files of my customers so they remain private. I welcome your experience and expertise!

Thank you for taking time to review all this.

Regards,

John

Hi @socialmedia,

Thanks for reaching out. If you want to set up any AWS restrictions for your app, it is something to be done under your own AWS account.

And you are able to set access control lists (ACLs). Just check on our docs here for more information.

Hope it helps.

Best,
Alex