Web Security is Fun!

[wolffyluna]

So, you know how pillowfort.io had some security down time a little while ago? That was roughly when I went from 'ooh, I should buy a key some time' to '...let's wait and see.' Mostly because I'm not a security expert, and I didn't know the details, so I wasn't sure if they were caught out by something weird, or if this was a moonpig level You Should Have Predicted This sorta security issue.

Turns out, it looks like it was the latter!

Which, gee, oof. I mean, yay my instincts, for predicting it'd be this sort of thing-- but oooooof.

Yeah, so definitely not going to pillowfort until they've at least done some more pentests.

Comments

[wolffyluna]

Yeah, that's the feeling I got too. I don't want to say they don't have their hearts in the right place-- but they keep making the sort of mistakes people who don't know what they don't know would make, if that makes sense? Like the fact that they haven't seemed to have lawyered-up ever in this process, or they started letting people on a site before it had a finished ToS*, the fact they don't seem to be coding like they might be attacked-- gaaahhh.

(The other thing that makes me shirty about the site, maybe less reasonably, is their intention to make a 'tumblr but better.' There are some issues with tumblr, where if you just do the opposite, you end up with different problems, but still problems. And also, pillowfort is somewhat vague about what they think tumblr's problems are, which is going to cause issues when there's conflict between the "tumblr's issues were people getting all up in my face about the content I make" groups and the "tumblr's issues were not getting rid of certain content" groups.)

*I'll admit, I am on a different site without a ToS, but in it's defense it's a site designed for a specific small community (as in the people making the website can contact the majority of the users on discord levels of small and specific), and they are currently in the process of getting one.