Developers - be careful out there!

Discussion in 'Public Game Developers Forum' started by suppoman, Mar 11, 2014.

  1. suppoman

    suppoman Active Member

    Oct 24, 2013
    34
    0
    0
    Hi guys,

    I wanted to share a harrowing experience I have recently had. This is mainly aimed at developers/app creators just starting out.

    I posted a thread recently saying that I had 11,000 downloads on my chat application inside a month. At that point my app had done exceptionally well.

    However, a week ago, some hackers decided to make my life hell as a consequence of exposing some security flaws in it.

    I can only say that what happened next has been a quite stomach churning experience. My app and my name have become infamous rather than famous, its been all over the net. Some examples are here:

    http://aol.it/PnB8S6
    http://bit.ly/1qsdx0n
    http://zd.net/1cMt5sq

    Plus my app went viral over twitter and I received messages of hate and resentment, even people wishing me death. My twitter and godaddy accounts were hacked and I only resumed control of the latter yesterday after 3 days of being locked out. Twitter have not even bothered to do anything about my account.

    So I have learnt a very valuable lesson, keep security of user information at the very top of your agenda or face a very harsh lesson.

    Suppoman
     
  2. Ironcode

    Ironcode Active Member

    Oct 23, 2013
    36
    0
    0
    India
    I think your biggest mistake was to threaten the person who contacted you. You could just have assured him that you will fix it as a first priority and this would never have blown up.

    Then you should have tried to fix the bug immediately.

    Whenever an irate customer contacts, always be nice.
     
  3. suppoman

    suppoman Active Member

    Oct 24, 2013
    34
    0
    0
    He wasn't an irate customer. He wanted to make a name for himself.

    He published his full disclosure on the internet without getting in contact with me via the support email address which is on the app or my app email address which is on my website.

    Furthermore he went on to instigate the hacking events that took place.

    If he had contacted me first it would have been a different story.
     
  4. expleo

    expleo Well-Known Member

    Jul 23, 2012
    159
    0
    0
    Computer Guy
    Norway
    "How Snapchat imitator Puffchat managed to do everything wrong
    Summary: Early this week Snapchat imitator Puffchat threatened a hacker for disclosing serious security holes and fallacies in the app's privacy claims. As expected, things aren't going well for Puffchat's arrogant founder."

    1) I don't think you (or anyone) deserves getting hate mails and threats.

    2) I do sympathise with the grief you must have when you read stuff like that about yourself. Probably not what you hoped for when releasing the app.

    3) Security issues should always be adressed without getting defensive. My suggestion is just lay down flat and take responsibilities, it works for politicans all over the world for a reason. Those who get too stubborn, in denial or refuses to accept the reponsibilities, often find themselves in a worse and worse situation. admit it (whatever 'it' is), say you are sorry for compromising users trust, and that you are working day and night for a solution.
     
  5. Broxxar

    Broxxar Member

    Jun 7, 2013
    18
    0
    0
    Kingston, ON
    Forgive me if I'm wrong, but were you passing the link to the image stored on the server in plain text? Or were you at least using MD5 or a similar hashing algo (preferably then also using a private key/salt or what have you).

    The backlash doesn't seem to have much to do with the lack of security, more so with the fact that you claimed it was secure and then when a "hacker" (let's be honest, this wasn't some expert blackhat) exposed security flaws, you actually blamed them. Yes, the hacker should have brought the issues to your attention privately, but it still seems you handled the situation in just about the worst way imaginable.

    Nevertheless, thank you for sharing your valuable and hard-learned lesson with the community. Hopefully many will learn from this and avoid making similar mistakes with security of user data.

    Goodluck going forward, I hope you're able to bounce back from this hiccup!
     
  6. simpleinteractive

    simpleinteractive Well-Known Member

    Nov 6, 2013
    57
    0
    0
    London
    You know the old saying, there is no such thing as bad publicity! This media frenzy has brought your app to a huge number of people who would never have otherwise heard of it. Now you need to turn the crisis into an opportunity...
     
  7. ThreeCubes

    ThreeCubes Well-Known Member

    Oct 13, 2012
    743
    0
    0
    #7 ThreeCubes, Mar 12, 2014
    Last edited: Mar 12, 2014
    Ok so you should never receive death threats or harassment for any app (well they should at least wait until you are earning 50k a day).

    Lets face it you made a shoddy messaging app with absolutely no thought to users data security. You will now find that trying to upgrade the security to even a reasonable standard will cost more than it did to make the app. And now your going to be on every hackers hit list so when that "New Update" is realised with improved security you better make sure its bullet proof as it would be a great story to run if your new update is hacked with 5 mins of it being uploaded.

    Not a good idea to threaten to sue somebody for no reason especially as you don't have the 100k needed to stage a defamation case that you would lose. I would be more worried about users suing you for breaches in the data protection act.

    Having said that Simpleinteractive is right, there is no such thing as bad publicity and for a short window whatever you say will get media traction. You could turn this into a positive!! A public apology to the hacker would be a start!


    I would also like to reiterate Broxxars comment and thank you for being honest here this is a great lesson that all developers should take note of.

    Hope you can find a silver lining!
     
  8. Snovi

    Snovi Member

    Mar 11, 2014
    8
    0
    0
    Chicago
    Agree with the general sentiment here - you promised a secure app and it had almost no security. Don't shoot the messenger.

    Still, I find a poetic justice in that the "wronged" consist largely of vacuous kids looking for a way to secretly send pictures of their junk. In fact, that probably guarantees that you won't get sued by a customer.
     
  9. BlindAlbino

    BlindAlbino Well-Known Member

    Dec 19, 2012
    58
    0
    0
    I am Co-Founder and Art Director for Blind Albino,
    La Habra Hights, California
    First off, my heart goes out to you superman. You're in a tough spot, no question.

    I'd be curious to hear more of this community's opinion on this specifically:
    Any publicity is good?

    In some casual, hypothetical, conversational sense I agree. But in a humbling yet severe case like this, would fighting that battle even be worth the effort and anguish?
    I simply don't know if I would fight on, or start from scratch.
     
  10. Blackharon

    Blackharon Well-Known Member

    Mar 15, 2010
    978
    0
    16
    Game Designer for Ludia
    Canada
    If you can turn it around into a positive any news is good news, but this dev shot himself in the foot by acting like a bully.

    Imagine if, upon the news being published, the dev shot the reporters a quick "we're working on it, it's our highest priority" line, fixed the issue(s) then sent out a press release stating, "Yes, there was a flaw in our security, but we've fixed it, now you're EVEN MORE secure than before!"
     
  11. simpleinteractive

    simpleinteractive Well-Known Member

    Nov 6, 2013
    57
    0
    0
    London
    Apps are very cheap or even free so the user takes no risk in downloading an app which has become notorious because people have blogged about it. In a sense whether the bloggers loved or hated it is immaterial. People will download to see if was as good/bad as they say. Good publicity is better than bad publicity but both are *infinitely* better than no publicity. Personally I'd be delighted to see any type of publicity!

    There are many examples of a product becoming a monster hit on the back of bad publicity. Flappy bird has "bad publicity" it was too hard/frustrating, critics said. The Da Vinci Code became popular largely because the catholic church disliked it. Books and apps are discretionary purchases where there is no such thing as bad publicity. Bad publicity for major purchases like a car would be less helpful!
     
  12. psj3809

    psj3809 Moderator

    Jan 13, 2011
    12,747
    543
    113
    England
    I agree with some of the others. It's a messaging app. Not secure. Some kid exposed it and you threatened to sue! Sounds very over the top and harsh

    Of course the name calling/threats are terrible (contact twitter if you get threats there) but sadly this is commonplace now on social media networks

    But as for the app and not being secure. Doesn't sound good at all. I wouldn't shoot the messenger. Actually be thankful they exposed some major flaws which you should fix (and found originally)
     
  13. Option4Studios

    Option4Studios Active Member

    Jan 1, 2014
    34
    0
    0
    Reading the articles it's claimed that outsourcing was involved? If this is true, no doubt they told you it was really secure.This is one of the dangers if you don't have a competent developer at your end to check their work and understand what measures they're putting in place.

    As others have said, maybe just quietly get on with fixing it and 'relaunching' with a 'now even more secure' tagline.

    Good luck.
     
  14. Option4Studios

    Option4Studios Active Member

    Jan 1, 2014
    34
    0
    0
    ..oh I forgot to add, ignore any 'death threats', it now seems to be the norm on the internet to say these phrases. Trust me, they don't mean it and they will move onto the next thing when you go quiet.

    Take a break from the internet perhaps?
     

Share This Page