So an app described as “Yelp for Conservatives” appeared this past week, promising to let people review businesses so Trump supporters would know where they could go where nobody would be mean to them because they support a criminal, sexual predator, borderline white supremacist president. Well, as they say, it’s a free country.
Except – oops! – the guy behind the app is not so good at coding.
Alderson said that in taking a look at the publicly available source code, he found that Wallace had implemented an open API in order to communicate with the 63red Safe server, which contains the app’s database. The issue is that API has no log-in protection.
“In this case, they ‘forgot’ to implement an authentication mechanism,” Alderson tweeted. “It means everybody can use their API, it’s open bar!”
He also discovered that there’s a list of API endpoints in the app’s source code, making it possible for someone with a bare minimum of software engineering skills to more easily access user data stored on the server. This includes profile IDs, when the profiles were created, profile pictures, the number of people a user follows and is following, UIDs and email addresses. It’s also possible to block users and create new profiles, he said.
Alderson said that he was able to see that 4,466 persons created a profile on the app. He said he didn’t download the database, but he noted that it was possible to use two specific APIs requests to obtain the information.
This is not “we made a mistake and missed it in our testing.” This is “I have no idea how to do this, and what is this thing that you call ‘testing?'”
Very embarrassing. Security researchers poke into this stuff all the time, and generally when someone finds out they’ve released software with security problems, they say ‘thank you’ and fix it really fast. So naturally, this 63red guy responded… with intense butthurt.
We take security very seriously, and have already taken action to additionally protect our data. The security of our users, and conservatives generally, is our primary concern, and we will continue to improve our systems in any way possible to guarantee their safety.
Please note that the individual who noticed an issue never gained access to any user’s passwords, nor were they able to change or alter any data on our servers, nor were they able to log into our servers or access our databases directly. The small amount information in which they were able to access has now been additionally protected.
As we have seen across the United States, conservatives particularly have come under attack for their political beliefs — verbally, physically, and electronically. This is unacceptable in a free society, and we will take every action to stop it, and assist our users in that as well.
Then he called the FBI to report someone walking through his open door.
“We take security very seriously?” Oh, honey, no.
So, the usual MAGA butthurt victim bullshit, for which the dude’s being roundly mocked all over the place. As he deserves!
Something else about this that crossed my mind: Apple is always bragging about how they carefully review apps to keep everybody safe, and unfortunately people get a false sense of security and nearly as careful with their iOS apps as they ought to be, because “Apple checks it all!” Well, this thing was there on their app store.
Assuming someone else took care of it is a very bad security approach. You need to pay attention to the permissions apps are seeking and ask yourself who is on the receiving end of the information they collect. Yes, even if you have an iPhone. Personally – I think Apple is doing a real disservice to its users by suggesting their policies have these things covered.
So pay attention to what you’re installing and who made it and what it’s asking for. And, of course, delete your Facebook!