logo by user Headwig

basement
community

search

wall of shame

technical feedback Possible API Abuse

joined jun 12, 2024

avatar

joined jun 12, 2024

@orchid Hey, I just registered to let you know about a potential issue with your API. It could be exploited by people looking to cause trouble with just a few lines of code. Consider fixing this to prevent misuse.

He who desires but acts not breeds pestilence

Image (Don't worry I deleted all the damage that I did and I'm sorry for doing it but I wanted to see if it could cause a lot of damage)

edited 6/12/2024, 10:10 pm

joined jun 10, 2024

avatar

Herald of the Mariana

joined jun 10, 2024

quoting V.:

@orchid Hey, I just registered to let you know about a potential issue with your API. It could be exploited by people looking to cause trouble with just a few lines of code. Consider fixing this to prevent misuse.

He who desires but acts not breeds pestilence

Image (Don't worry I deleted all the damage that I did and I'm sorry for doing it but I wanted to see if it could cause a lot of damage)

He knows his shit, worth hearing him out on this to make sure this place can be future proofed.

posted 6/12/2024, 10:13 pm

joined dec 4, 2022

avatar

joined dec 4, 2022

i just deployed a new change requiring a user to have a least 1 post before creating a thread.

we've had some issues with bots in the past few months, so hopefully that change should mitigate some of that, but I'll keep this in mind and look for other solutions thanks for bringing this up!

posted 6/12/2024, 10:22 pm

joined jun 12, 2024

avatar

joined jun 12, 2024

quoting orchids:

i just deployed a new change requiring a user to have a least 1 post before creating a thread.

we've had some issues with bots in the past few months, so hopefully that change should mitigate some of that, but I'll keep this in mind and look for other solutions thanks for bringing this up!

I'm sorry, but the '1 post to create a thread' rule is not good at all. There are more methods to prevent this, one of which is simply removing the API /register. In my opinion, it shouldn't have existed in the first place.

posted 6/12/2024, 10:26 pm

joined jun 10, 2024

avatar

Herald of the Mariana

joined jun 10, 2024

quoting orchids:

i just deployed a new change requiring a user to have a least 1 post before creating a thread.

we've had some issues with bots in the past few months, so hopefully that change should mitigate some of that, but I'll keep this in mind and look for other solutions thanks for bringing this up!

I'd highly advise an approval queue if you can implement one for new users, my site uses Xenforo which makes it easy so I can understand if that would be harder to put in but I highly respect you are doing all this on your own end. Just having that filter where you can see who comes in would help so much and help against potential raids massively as in the site's current state it would be so susceptible to malicious actions if it pops up on the wrong person's radar, bad actors have come across my site and it's really helped shoo them away quickly.

posted 6/12/2024, 10:29 pm

joined dec 4, 2022

avatar

joined dec 4, 2022

ok man i hear you but consider this: i am one person working a full time job and this is a hobby project

what would you suggest to mitigate that? a paywall? email verification? something else?

posted 6/12/2024, 10:30 pm

joined jun 12, 2024

avatar

joined jun 12, 2024

quoting Khastle:

I'd highly advise an approval queue if you can implement one for new users, my site uses Xenforo which makes it easy so I can understand if that would be harder to put in but I highly respect you are doing all this on your own end. Just having that filter where you can see who comes in would help so much and help against potential raids massively as in the site's current state it would be so susceptible to malicious actions if it pops up on the wrong person's radar, bad actors have come across my site and it's really helped shoo them away quickly.

Right, but all XenForo websites look the same if you look closely, and it's more expensive. While it does offer better protection, this comes at a higher price. However, it all depends from owner to owner.

posted 6/12/2024, 10:31 pm

joined dec 4, 2022

avatar

joined dec 4, 2022

quoting Khastle:

I'd highly advise an approval queue if you can implement one for new users, my site uses Xenforo which makes it easy so I can understand if that would be harder to put in but I highly respect you are doing all this on your own end. Just having that filter where you can see who comes in would help so much and help against potential raids massively as in the site's current state it would be so susceptible to malicious actions if it pops up on the wrong person's radar, bad actors have come across my site and it's really helped shoo them away quickly.

this actually exists and is easy to flip back on but it's off for now because i didn't feel like having people wait on me to approve their account before they can post

posted 6/12/2024, 10:31 pm

joined jun 12, 2024

avatar

joined jun 12, 2024

quoting orchids:

ok man i hear you but consider this: i am one person working a full time job and this is a hobby project

what would you suggest to mitigate that? a paywall? email verification? something else?

I'm not trying to be mean, but yes, email verification would be a massive step. If you want a quick fix, just remove the /register API.

posted 6/12/2024, 10:33 pm

joined jun 10, 2024

avatar

Herald of the Mariana

joined jun 10, 2024

quoting orchids:

ok man i hear you but consider this: i am one person working a full time job and this is a hobby project

what would you suggest to mitigate that? a paywall? email verification? something else?

Sorry if we may be coming off the wrong way, my mate just saw these issues and wants to help in case someone negative does occur that could cause issues for the site into the future.

quoting V.:

Right, but all XenForo websites look the same if you look closely, and it's more expensive. While it does offer better protection, this comes at a higher price. However, it all depends from owner to owner.

Yeah exactly and that's why I said I respect admin in taking the barebones approach in making this place and not taking the more expensive Xenforo route. Awesome so far with the work.

quoting orchids:

this actually exists and is easy to flip back on but it's off for now because i didn't feel like having people wait on me to approve their account before they can post

Yeah fair I do get that, especially when the forum is still relatively small and unknown, I only have it turned on permanently due to where I advertise and what kind of people it can attract now and then. You do you ultimately.

posted 6/12/2024, 10:41 pm

joined dec 4, 2022

avatar

joined dec 4, 2022

yeah it's a fair point and email verification has slowly been growing to be more and more of a priority as time has went on.

it's looking like that's gonna be the next thing I work on. We already have mechanisms for sending out emails and performing some action based on a short-lived token (the forgot/update password flow). it's really just about finding the time and energy to actually work on it.

but either way I appreciate the concern!

posted 6/12/2024, 10:55 pm

joined dec 4, 2022

avatar

joined dec 4, 2022

email verification (for new users) coming tonight.

i hope you're happy @V. I could have had a perfectly good night last night playing doom eternal shrug smiley

edited 6/14/2024, 8:44 pm

joined jun 12, 2024

avatar

joined jun 12, 2024

quoting orchids:

email verification (for new users) coming tonight.

i hope you're happy @V. I could have had a perfectly good night last night playing doom eternal shrug smiley

Why do I have to be the one that's happy? You should be happy because now the raids won't be so bad anymore.

posted 6/15/2024, 9:45 am

technical feedback Possible API Abuse