security

How NOT to roll out a web-facing product: a guide

 

If you ever wanted to start your own alternative-tech company, the first quarter this year presents a truly unique opportunity: millions of netizens are looking for alternative platforms. Even though the subject of alt-tech has been floating around for quite some time, it wasn’t until January 2021 that the topic caught the media attention and is still going strong. But let’s start from the beginning.

Background

2021 had a rocky start. In early January Joe Biden was confirmed to be the next president of the United States and the former president, Donald Trump, was not too eager to relinquish his seat. Neither were his followers, who stormed the U.S. Capitol, demanding to “stop the steal” (which was their slogan), claiming that elections were rigged. For a while, the eyes of the world were focused on the state of America’s democracy. 

However, it’s the social media aftermath that concerned many. Citing internal codes of ethics as well as their own Terms of Service, one-by-one Silicon Valley companies de-platformed the former President of the United States. Suddenly, Mr. Trump fell silent, at least on the internet.

The political right immediately pointed at the supposed liberal bias of California-based tech giants, claiming that de-platforming Mr. Trump was an act of censorship and an assault on free speech. Perhaps so. Tech giants, on the other hand, defended their actions, arguing that they will not allow their products to be used to disseminate what they considered to be “fake news.” It’s a tough one.

Alt-tech to the rescue?

Meanwhile, all this turmoil became a PR blessing for the alt-tech service providers. Finally, they were getting some action.

Let’s take a look at GAB and Parler. Both platforms were online for quite some time. However, for many years they remained niche projects, catering to select few who took their time to search the web for lesser-known platforms, for whatever reason. 

For alt-tech social media services, the biggest obstacle to growth has been the absence of a substantial user base. Relative lack of familiar faces made social media platforms unappealing to newcomers. Many came and went, very few stayed. No significant growth meant no investments or revenue, which directly translated to little or no marketing efforts. Here problems have came full circle for both platforms.

Alas, this all changed when California-based tech companies decided to go against Mr. Trump and millions of his followers. Suddenly, social media censorship became a dinner topic and a ‘problem’ to be solved. Many Trump supporters vowed to stay away from the mainstream social media platforms, looking for a new digital home. A digital boycott, of sort. 

The market listened and responded. GAB and Parler saw an uptick and new alternative media platforms began to grow like mushrooms after rain. Some platforms got started due to ideological reasons, others – purely to capture the market.

Enter Albicla

The wave of alt-tech enthusiasm reached Europe as well. In Poland, one media outlet decided to jump on the bandwagon and offer a censorship-free, home-grown Facebook alternative: the aptly named Albicla (according to media documents, the name is derived from the phrase “Let All be Clear.”)

The idea was simple: don’t let foreign corporations meddle in free speech activity. On the surface, the idea sounds good. However, the implementation… can serve as a blueprint of what not to do, from a technological standpoint. So here are a few pointers of what NOT to do when rolling out a web-facing product, backed by some examples taken from the Albicla roll-out.

First, forget SSDLC

Secure Software Development Life Cycle (SSDLC) is a set of rules and methodologies used by software companies to make sure that security is baked-in to every stage of the software development progress. This means that cybersecurity specialists and software developers work closely together from start to finish, making sure that important safety mechanisms are implemented every step of the way. This includes establishing clear code custody policies, integrity monitoring, choosing the right security solutions (such as cryptography standards), separating environments, security-conscious error handling and many more engineering-level decisions, which in the end produce a rock-solid product. In case of a social media platform, one might expect this to be a number one priority.

However, it appears that Albicla may have skipped all of that. Various researchers and internet users found grave mistakes, which should have been phased out during the planning stage, if SSDLC guidelines were used. 

Examples include 

  • utilizing a variant of MD5 hashing to store unsalted passwords (obsolete standard from 20 years ago), 
  • improper configuration file layout and permissions (allowed for password leaks) 
  • lack of MySQL error masking (security reconnaissance vulnerability) 

and many others. Needless to say, user’s data went viral nearly overnight, as for example, configuration files exposed internal passwords.

Second: skip the frameworks, write it yourself

Everyone likes a challenge. Why bother using existing frameworks, when you can re-invent the wheel yourself? 

Although this isn’t official, it appears that Albicla developers may just have done that. Rather than relying on open-source frameworks to provide some of the product back-end functionality, code leaks from Albicla suggest that most functionality, as well as the back-end, was largely developed in-house. 

Here’s why it’s a bad idea. While doing everything from scratch is an admirable undertaking and an obvious show of programming talent, developing everything from grounds-up requires extensive cybersecurity knowledge on every piece of underlying technology. The developers must read up and provide a solution for every security vulnerability of every component, truly testing their knowledge and abstract thinking skills.

Let’s take a sign-up form as an example. To create one, one could utilize pre-made components in order to create a form which will gather data, securely save it to a database and fire up a mailing script. The other option is to think about every security weakness of such form and provide a security solution on top of functionality. 

Here are some common ways a form can be exploited:

  • Numerous sign-ups from the same IP (fake users)
  • Password length (if no limit is set, users can inject gigabytes of data)
  • SQL injections (sending malicious commands to the database)
  • Syntax validity and form validation (so users have to fill in all data required by law)
  • Spamming (form can be used to generate thousands of e-mails)

and many more. 

As one can imagine, tying up loose ends when piecing a product from a variety of sources in itself can be a daunting task. However, thinking abstractly about every piece of functionality and how it can be exploited is a task for an entire cybersecurity team, never mind few developers who are hired to provide minimal functionality.

Third, forgo Quality Assurance testing and audits

The purpose of Quality Assurance Audits & Testing, in simplest terms, is to make sure that the product actually works. Whether you’re making a simple calculator app or a Twitter alternative, it’s important to make sure that users will get a consistent, bug-free experience.

…or you can just skip that and have users point out your problems.

Case and point: early Albicla users noticed several logical mistakes in how the platform operated, and one of them was the URL structure of public profiles. When registering for the service, a user is asked to fill out a form, which includes choosing a username and password. From the entered username, a URL is derived, in a similar fashion to Twitter and Facebook, where the name follows / of the Top Level Domain (TLD) syntax. As such, user “Tim” would be accessible though example.com/tim, and user “Alice” could be found under example.com/alice.

But what happens when someone chooses words such as “login” and “delete_account” as their desired username? In a simple QA Auditing process, situations such as these should have been  accounted for. Yet in Albicla’s case they weren’t, so portal users accidentally accessing these pages were either logged out or had their account removed!

Last, but not least: just say “no” to security audits

Whether you’re using pre-made open-source frameworks or writing the code yourself, when designing a web-facing product it’s detrimental to think about privacy and security. After all, your application will most likely process private information, which in some places of the world – like in the EU – are grounds for substantial fines, if mishandled. 

Not surprisingly, there are grounds to claim that Albicla might have just skipped the process of security auditing as well. 

First, users noticed that diagnostic tools were left on a production server, exposing confidential information about the inner-workings of the platform. Second, more advanced Chrome/Firefox users (yes, the browsers; hardly hacking tools!) noticed that with a few lines of code they could completely bypass security requirements of the sign-up form. Apparently, it was possible to sign up for an account without providing crucial information – such as username or password. Third, a security vulnerability was found, allowing users to post content on behalf of… other users. Yikes.

Sum-up

What happened with Albicla was perhaps a textbook example of what happens when security is not baked-in to the product, but sprinkled on top as a finishing layer. It’s there, it looks good, but underneath it’s full of holes like Swiss cheese.

All gags aside, there are some serious consequences to any business that decides to release a half-baked web-facing product. Lack of SSDLC procedures is bound to result in a substandard application, riddled with logical mistakes and outdated methodologies. 

Whether one chooses to use ready-made frameworks or develop everything in-house, Quality Assurance Testing and Security Auditing should never be considered an optional step. Any web-facing product is bound to process personal data. Moreover, from a business perspective, there’s simply too much to lose: from loyalty and trust of the customers, to facing heavy fines from the EU for mishandling personal data. 

If the goal for 2021 is to roll out a tech product – alt-tech or mainstream one – the rules of the game are basically the same. In the meantime, users are still looking for solutions to fit their needs, so there’s some time to develop the next tech unicorn. May the best product win.

Rate the article:


03.02.2021