Pillowfort is back up, so I'll be poking at it again to see if they did any better this time.

First point in their favour is they now run the most recent release of Angular. They lose that point immediately because it's still the shitcanned Angular 1.

They lose another point for deleting the accounts some of us were using to test initially as well, so now we have to burn some invite keys to carry on. Irritating, especially since they'd already renamed the accounts so they weren't hurting anything!

Broken templating shit off the bat with bad URL handling. Amazing. Even on pages that have no business having anything embedded.

Functions that absolutely nobody will ever use are broken, such as password resets.

Broken URL calls all over the place. I've not dug too deep into it yet, but the impression this gives me - the client being responsible for determining external content to trust - has VERY bad implications.

I don't think they listened to our "don't trust the client" explanations

I haven't even left the dashboard after logging in yet, and I've already found something bug bounty-able lmao.

Not a security thing, though I'm wondering why they have a cookie that updates itself with the current epoch in milliseconds every page load.

Smells like tracking to me.

So uh. Hey Pillowfort, whether it's the user's password or something unrelated, why the *fuck* are you sending a hashed password as part of a cookie? Did you check your security expert's qualifications? There's enough info in this string to do some serious damage.

For those wanting to replicate it and verify, https://www.base64decode.org/  the value of your "_Pf_new_session" cookie. I don't care what the password is actually for, having it in a cookie - even if it's set with httpOnly and secure flags - is a rookie mistake. A dangerous one too.

I had high hopes when they came back up, I think I need to recalibrate them. Again: I'm still on the first fucking page load.

I'm intrigued that so much CSS styling is done in the JS itself instead of a separate stylesheet. As in, a way that'd make sense.

That's not a security thing, just. Why would you do it that way.

Holding my head in my hands, I decided to go over the privacy policy stuff, since I actually have some knowlege in that area. Immediate thought: yikes.

Second thought: Yeah, it's definitely illegal for them to have people in the EU using the site

"How can it be illegal to have EU people on there" - GDPR. First, there's no cookie notification to tell you they use cookies. Despite this, it sets a session ID for you even if you're not logged in. Big no no.

Second, privacy policy mentions no GDPR representative. Under the law, you need one to be allowed to operate in the EU if you're not an EU entity. You can be fined several million euros otherwise. This is why a lot of US-based news sites block EU visitors.

Their privacy policy also doesn't mention anything about third party cookies, which is also required if they don't want to be sued into oblivion. Third party cookies are very much set on the site.

They fixed me being able to get a post to minus 69 likes though. That's good I suppose.

Still curious what these other cookies are. One has a CDN label (you shouldn't need a cookie for CDN stuff), the other is the weird timestamp one. It also has what looks to be an MD5'd ID in it (might be one of the SHAs, can't be bothered to count characters)

This cookie is also stealable by Javascript.

I haven't found anything serious yet but I've also not put much effort in yet. But just the initial vibes are there's a ton of work still to do on their security front, it should go down again, and you still shouldn't use it still.

Can still fake purchases btw. I can promise you I didn't give them any money.

Also I wanna be absolutely clear - the password hash in the cookie is DANGEROUS. I don't know what it is, but it's bad that it's there, unequivcally. Base64 is not encryption. It actually makes the string BIGGER, so it wastes more bandwidth. The only reason to B64 it...

... is to obfuscate its contents. Given it's httpOnly and secure flagged, my assumption is this is to hide its contents from the user in the pithiest, most waste-of-time way possible.

Oh, yeah, remember that template injection stuff from my last thread? It's still there.

Having CSRF tokens in cookies is bad practice too btw.

You can still set your username to a system name if you're fast enough to get past the API call that disables the button. It temporarily bricks the site.

I have some more stuff I want to test that I've found hints of potential for, but it's potentially destructive and I don't want to get arrested. Unless PF explicitly OKs me to, I'll stay away from that. But... yeah, not looking good.

Some definite SQL injection on liking posts, I figured that was a decently non-destructive one to test. So yeah, their expert missed more basic shit.

Or it might not be - but if it's not SQL injection and it still let what I did go through, that's a very worrying design. Also I can like posts that don't exist.

I'm not even a hacker, man, I'm just doing the shit I try on my own sites to make sure I didn't do something dumb during an allnighter.

If *I'm* finding stuff, someone else is going to find a lot worse than me, and they might not care about the "destructive consequences" part of things on the stuff I'm staying away from.

Still astounded they decided the correct response was "oh damn our security is fucked" was to start charging for entry again btw. Wish I had balls that big.

I have now liked posts with the id 289991, 0, -1, -9999, 100000000000000000, Minecraft Steve, and "' OR 1=1; --"

I'd *hope* this means that server-side it's just intval'd to 0 or something, but I don't trust that it is.

Also a couple people DMed me suggesting I advertise my own Tumblr-like/art site on this thread, I'm not gonna do that, it feels a little like bullying. Anyway, I want ice cream, then I'll be trying another angle of attack, because I feel like I've skipped some of the simple stuff

Pillowfort can absolutely hire me btw if the rates are actually decent

Seems you might need someone who knows what they're doing still