Web Security is Fun!

[wolffyluna]

So, you know how pillowfort.io had some security down time a little while ago? That was roughly when I went from 'ooh, I should buy a key some time' to '...let's wait and see.' Mostly because I'm not a security expert, and I didn't know the details, so I wasn't sure if they were caught out by something weird, or if this was a moonpig level You Should Have Predicted This sorta security issue.

Turns out, it looks like it was the latter!

Which, gee, oof. I mean, yay my instincts, for predicting it'd be this sort of thing-- but oooooof.

Yeah, so definitely not going to pillowfort until they've at least done some more pentests.

Comments

[zenolalia]

They've got to get a legal team sooner than later, because the second an EU user tries to press charges under the GDPR, they're extremely fucked.

I really, really want to like pillowfort, I really do, but they've been having a lot of "missteps" over the last few weeks.

[wolffyluna]

Yeah, there's a lot of things happening --like the GDPR noncompliance, and the weirdly inconsistent ToS -- that makes me think they really need to lawyer up as soon as possible, preferably yesterday.

They seem to keep having problems-- and they're really predictable problems, ones that they really should have noticed and thought through. The email address leak was really avoidable. (And heck, the .io domain name is not their biggest problem re: nsfw things, it's PayPal-- and PayPal is well known for stomping on adult content, this is not a surprising thing.)

(Also, at least personally, pillowfort seems to have a lack of black hat thinking, of thinking how policies and decisions could be abused, and a lot of their recent issues stem from that. The security issue was from not getting a pentest, the issues with the editing policy are from not thinking about how people could misuse them, a lot of their moderation policies seem to be based on 'no foxes are gonna get into this henhouse!' etc.)

[zenolalia]

I do want to believe in them. But the entire set of problems just screams, "group of college freshmen got together and decided to make a social media website as a fun friend-time activity and did NOT think it through at all."

Like, there's a really persistent level of naivete involved in all of these choices they keep making.

[wolffyluna]

Yeah, that's the feeling I got too. I don't want to say they don't have their hearts in the right place-- but they keep making the sort of mistakes people who don't know what they don't know would make, if that makes sense? Like the fact that they haven't seemed to have lawyered-up ever in this process, or they started letting people on a site before it had a finished ToS*, the fact they don't seem to be coding like they might be attacked-- gaaahhh.

(The other thing that makes me shirty about the site, maybe less reasonably, is their intention to make a 'tumblr but better.' There are some issues with tumblr, where if you just do the opposite, you end up with different problems, but still problems. And also, pillowfort is somewhat vague about what they think tumblr's problems are, which is going to cause issues when there's conflict between the "tumblr's issues were people getting all up in my face about the content I make" groups and the "tumblr's issues were not getting rid of certain content" groups.)

*I'll admit, I am on a different site without a ToS, but in it's defense it's a site designed for a specific small community (as in the people making the website can contact the majority of the users on discord levels of small and specific), and they are currently in the process of getting one.

[tornir]

After it was taken down, the 503 page announced to the world they were using a four year old web server.
The server's dev site lists every patched vulnerability, and the versions affected by it; Black Hat shopping list. :(
I don't know if they've patched that (I don't even know if they can), but I too have adopted a '...let's wait and see.' policy, while hoping my friends who haven't don't get burned.

[wolffyluna]

Oh my goodness, it's turtles security vulnerabilities all the way down.

[tornir]

Humble have a book bundle these guys should really get, and it'd only cost them three keys.

[lady_kishiria]

Yeah, I was going to get a Pillowfort code and held off for the same reasons you did.

[lb_lee]

I admit, I have had no interest in pillowfort, but this has just made me feel better about it. Lately my biggest concerns about my website use is security stuff.

I think I'm basically just going to try and camp out here.

[wolffyluna]

Pillowfort has been making a series of missteps, but this is the biggie for me as well.

Like, I could live with poor moderation, if I didn't have to worry about my email address being leaked. But considering I do... yeah, I'm not paying 5 bucks to have a security vulnerability in my life.