🔐 Bubble.io Payload Encryption/Decryption Suite

Complete toolkit for encrypting and decrypting Bubble.io payloads. This tool demonstrates a critical security vulnerability in Bubble.io's encryption implementation.

🇸🇦 النسخة العربية | 📚 Encryption Guide | 📋 Summary

---

🚨 Security Vulnerability

This tool exposes a critical vulnerability in Bubble.io's encryption mechanism:

• ✅ Fixed IVs: Uses hardcoded IVs ('po9' and 'fl1') for all applications
• ✅ Weak Key Derivation: Only requires AppName to decrypt payloads
• ✅ No Authentication: No HMAC or signature verification
• ✅ Shared Secrets: Same encryption keys across all users

CVE: Pending
Impact: High - Data exposure, payload manipulation
Disclosure: Responsible disclosure to Bubble.io (see Pop_n_bubble.pdf)

---

📋 Overview

This suite provides:

• 🔓 Decryption Tool: Extract data from encrypted Bubble.io payloads
• 🔐 Encryption Tool: Create encrypted payloads using Bubble.io's method
• ✅ Testing Suite: Verify encryption/decryption operations
• 📊 JSON Support: Direct encryption/decryption of JSON data

---

🔐 How It Works

Bubble.io uses AES-CBC encryption with PBKDF2-MD5 key derivation:

Encryption Process (3 Values):

1. x (IV): Encrypted Initialization Vector

   • Input: Random 16-byte IV
   • Fixed IV for encryption: 'fl1'
   • Key: Derived from AppName

2. y (Timestamp): Encrypted timestamp

   • Input: Timestamp + "_1" suffix
   • Fixed IV for encryption: 'po9'
   • Key: Derived from AppName

3. z (Payload): Encrypted data

   • Input: Your data (JSON or text)
   • Key: Derived from AppName + Timestamp
   • IV: The decrypted IV from (x)

Decryption Process:

1. Decrypt y → Extract timestamp
2. Decrypt x → Extract IV  
3. Decrypt z → Get original payload

---

🚀 Quick Start

Installation

# Clone the repository
git clone https://github.com/code-root/bubble-payload-encrypter.git
cd bubble-payload-encrypter

# Install dependencies
pip3 install cryptography

Decryption

# Interactive mode
python3 decrypt_optimized.py

# Or use the main decrypter
python3 payload_decrypter.py

Encryption

# Interactive mode
python3 payload_encrypter.py

# Quick example
python3 quick_encrypt.py

Testing

# Run comprehensive tests
python3 test_encrypt_decrypt.py

---

💻 Usage Examples

Decrypt Payload

from payload_decrypter import decrypt_bubble_payload

timestamp, iv, payload = decrypt_bubble_payload(
    appname="your_app_name",
    x_encrypted="encrypted_iv_base64==",
    y_encrypted="encrypted_timestamp_base64==",
    z_encrypted="encrypted_payload_base64=="
)

print(payload.decode('utf-8'))

Encrypt Payload

from payload_encrypter import encrypt_bubble_payload

result = encrypt_bubble_payload(
    appname="your_app_name",
    payload_data={
        "app_version": "live",
        "data": "sensitive information"
    }
)

print(f"x: {result['x']}")
print(f"y: {result['y']}")
print(f"z: {result['z']}")

---

📁 Project Structure

Core Scripts

• payload_decrypter.py - Main decryption tool
• payload_encrypter.py - Main encryption tool
• decrypt_optimized.py - Enhanced decryption with better UX
• quick_encrypt.py - Quick encryption examples
• test_encrypt_decrypt.py - Comprehensive test suite

Documentation

• README.md - This file (English)
• README_AR.md - Arabic documentation
• ENCRYPTION_GUIDE_AR.md - Detailed encryption guide (Arabic)
• SUMMARY_AR.md - Project summary (Arabic)
• Pop_n_bubble.pdf - Security vulnerability analysis

Examples

• example_decryption_result.json - Example decrypted data
• example_encrypted.json - Example encrypted data

---

🔑 Key Features

Performance Optimizations

• ✅ 60% code reduction through shared functions
• ✅ Optimized memory usage
• ✅ Efficient PBKDF2 key derivation
• ✅ Clean, well-documented code

Functionality

• ✅ Full encryption/decryption support
• ✅ JSON and text support
• ✅ Auto-generate timestamp and IV
• ✅ Custom timestamp/IV support
• ✅ Save results to files

Security Analysis

• ✅ Demonstrates Bubble.io vulnerability
• ✅ Educational tool for security research
• ✅ Proof-of-concept implementation
• ✅ Responsible disclosure documentation

---

⚠️ Disclaimer

FOR EDUCATIONAL AND SECURITY RESEARCH PURPOSES ONLY

This tool is provided for:

• ✅ Security research and education
• ✅ Authorized penetration testing
• ✅ Understanding encryption vulnerabilities
• ✅ Responsible disclosure demonstrations

DO NOT USE FOR:

• ❌ Unauthorized access to systems
• ❌ Data theft or manipulation
• ❌ Any illegal activities
• ❌ Attacking applications without permission

The authors are not responsible for misuse of this tool.

---

📚 References

• Bubble.io Platform
• AES-CBC Encryption
• PBKDF2 Key Derivation
• Cryptography Library

---

🤝 Contributing

Contributions are welcome! Please:

1. Fork the repository
2. Create a feature branch
3. Commit your changes
4. Push to the branch
5. Open a Pull Request

---

📄 License

This project is released for educational purposes only. Use responsibly and ethically.

---

👥 Authors

Security Research Team

---

📞 Contact

For security issues or responsible disclosure:

• 📱 WhatsApp: +201001995914
• 🐛 GitHub Issues: Report here
• 📧 Security Research: Contact via WhatsApp for responsible disclosure

---

⭐ Star this repo if you find it useful for security research!