So turns out Pillowfort is aptly named in the “exactly as robust as it sounds” sense.
More thoughts here, but tl;dr people pointed exactly these issues out over a year ago and Pillowfort told us they’d been fixed. They lied.
Serious Professional Advice: If you have a Pillowfort account… don’t. Assume all data you’ve ever posted there—from your passwords to your post content—is compromised. If you’ve used the same password at Pillowfort that you’ve used on any other service, change it on all those other services.1
They aren’t going to learn and they aren’t going to get better; Pillowfort is a get-rich-quick scheme for its creators who want to be fandom billionaires and don’t care what damage they do to get there. Do not let them get away with it.
- Also please don’t reuse passwords. [↩]
Oh and if you’re on Pillowfort, consider… not being.This is a combination of “Baby’s First Programming Mistake” and “Nuclear Option Exploit of Your Computer You Can’t Do Anything About” and it’s, like. Hard to appropriately convey how Not Good this is and how it should really be Pillowfort’s death knell. (more)
It’s also exactly the same exploit people were pointing out… what was it? A year ago? Two?Back then people were mostly doing it for dumb stuff like changing their usernames into hundreds of bee emoji, but at the time there was discussion about how the same vector could be used to much more serious ends. (more)
Pillowfort back then said it had conducted a “security review” (with a “paid professional”, IIRC) but the fact these issues STILL exist indicates they either did not or they simply do not understand what the problem is and how to fix it. Both options are entirely terrible. (more)
Like, not to exaggerate but this is the equivalent of a company building a skyscraper, having people come in halfway through to tell them it’s going to collapse in a stiff breeze, saying they’ve fixed the issues… and then having the whole thing collapse in a stiff breeze on opening day because it turns out they did not, in fact, fix the issues.In other words, this would be criminal negligence if computer science was an actual big boy industry. And yes, I’m completely serious. (more)
okay you managed to freak me out 😠so the site isn’t safe at all? not even for browsing and reblogging? I’m not worried about passwords or card info, but that thing about “could potentially allow internet randoms access to everything on your computer” you mentioned on mastodon.
Pretty much, yeah.
Basically this exploit means any internet random can insert any code onto Pillowfort, and if you happen to go to where the code is (e.g. have an “infected†post show up on your dash), it will run on your computer whether you want it to or not.
The technical terms are a cross-site scripting attack (XSS, Pillowfort seems vulnerable to both the stored and reflected types) with the potential for a drive-by download. Some of the seriousness of how bad these attacks can be depends on your computer OS and browser, but yeah Baby’s First Hacking Class is generally how to use freely downloadable tools (e.g. Metasploit) to exploit this scenario to do things from stealing people’s session cookies (and thus log into their accounts) right up to gaining full control over their computer.
This is so scary wtf ;; Thanks for the heads up and the links <3 I probably should learn more about these things..