wolffyluna | Web Security is Fun!

You're viewing

wolffyluna's journal
Create a Dreamwidth Account Learn More

Reload page in style: site light

So, you know how pillowfort.io had some security down time a little while ago? That was roughly when I went from 'ooh, I should buy a key some time' to '...let's wait and see.' Mostly because I'm not a security expert, and I didn't know the details, so I wasn't sure if they were caught out by something weird, or if this was a moonpig level You Should Have Predicted This sorta security issue.

Turns out, it looks like it was the latter!

Which, gee, oof. I mean, yay my instincts, for predicting it'd be this sort of thing-- but oooooof.

Yeah, so definitely not going to pillowfort until they've at least done some more pentests.

Flat | Top-Level Comments Only

From:

wolffyluna

Yeah, there's a lot of things happening --like the GDPR noncompliance, and the weirdly inconsistent ToS -- that makes me think they really need to lawyer up as soon as possible, preferably yesterday.

They seem to keep having problems-- and they're really predictable problems, ones that they really should have noticed and thought through. The email address leak was really avoidable. (And heck, the .io domain name is not their biggest problem re: nsfw things, it's PayPal-- and PayPal is well known for stomping on adult content, this is not a surprising thing.)

(Also, at least personally, pillowfort seems to have a lack of black hat thinking, of thinking how policies and decisions could be abused, and a lot of their recent issues stem from that. The security issue was from not getting a pentest, the issues with the editing policy are from not thinking about how people could misuse them, a lot of their moderation policies seem to be based on 'no foxes are gonna get into this henhouse!' etc.)

Edited Date: 2018-12-19 06:47 am (UTC)

From:

zenolalia

I do want to believe in them. But the entire set of problems just screams, "group of college freshmen got together and decided to make a social media website as a fun friend-time activity and did NOT think it through at all."

Like, there's a really persistent level of naivete involved in all of these choices they keep making.

From:

wolffyluna

Yeah, that's the feeling I got too. I don't want to say they don't have their hearts in the right place-- but they keep making the sort of mistakes people who don't know what they don't know would make, if that makes sense? Like the fact that they haven't seemed to have lawyered-up ever in this process, or they started letting people on a site before it had a finished ToS*, the fact they don't seem to be coding like they might be attacked-- gaaahhh.

(The other thing that makes me shirty about the site, maybe less reasonably, is their intention to make a 'tumblr but better.' There are some issues with tumblr, where if you just do the opposite, you end up with different problems, but still problems. And also, pillowfort is somewhat vague about what they think tumblr's problems are, which is going to cause issues when there's conflict between the "tumblr's issues were people getting all up in my face about the content I make" groups and the "tumblr's issues were not getting rid of certain content" groups.)

*I'll admit, I am on a different site without a ToS, but in it's defense it's a site designed for a specific small community (as in the people making the website can contact the majority of the users on discord levels of small and specific), and they are currently in the process of getting one.