A new highly anticipated social media website is full of "silly" and "old-school" bugs that allow users to exploit other users on the website using HTML code in usernames and posts, according to several people who are sharing the exploits on Twitter.
Pillowfort, a new Tumblr-like social media site, announced on Monday that it was now open to all users. Just a few hours later, several users noticed that they could mess with others just by including HTML code in their posts and usernames. On Tuesday afternoon, the company announced on Twitter that it had taken the site offline "to enact some precautionary safety measures," but did not directly address any of the seeming bugs.
Another user figured out that he could include the Sign Out link in an image HTML tag and force users to sign out just by viewing the post with the image.
"Such a silly mistake," Jane Manchun Wong, an independent security researcher, told Motherboard in an online chat. "It appears this website forgot to sanitize user input, which the website includes as part of the webpage, which could potentially allow cross-site scripting attack."
Cross-site scripting attacks, or XSS, are common web vulnerabilities that allow attackers to execute code on a users' browser or computer by injecting malicious code into the site. They are widely understood and there are simple and easy ways to prevent this kind of attacks if web developers follow best practices.
"It’s a very old-school attack," Jim Manico, a former board member of the Open Web Application Security Project, told Motherboard in an online chat. "This is only possible because of insecure coding practices of a particular website."
A Pillowfort spokesperson said in an email on Tuesday afternoon that the company was working on fixing the issues.
“Our team pushed out a fix for the "/signout" link exploit the first user found. We are confident it was a one-of-a-kind issue that does not represent any wide-scale problems in our infrastructure. Inserting various HTML elements into Froala, our post editor, are already allowed for post contents and our developer team already sanitized for unwanted HTML elements,” the spokesperson said.
“For the time being, we have temporarily taken Pillowfort offline to ensure that any potential bug concerns or security exploits are dealt with while also avoiding any compromise of our users' accounts,” the spokesperson wrote. “But we wanted to share, for transparency and to hopefully bring some ease of mind to those aware of the situation, that there was not any breach of data or personal information that occurred as part of the public launch. Additionally, we do not store credit card information of any kind on Pillowfort.”