Why my chat app broke… a cautionary tale
Vložit
- Äas pÅ™idán 21. 12. 2022
- My chat app became overwhelmed with profanity and spam, but all this could have been avoided with better security practices. Let's take a look at essential app security libraries and techniques.
#programming #hacking #tech
💬 Chat with Me on Discord
/ discord
🔗 Resources
- Original Chat App Pocketbase Project • I built a $5 chat app ...
- 7 Web Security Risks • 7 Security Risks and H...
- Cryptography Concepts • 7 Cryptography Concept...
- Cloudflare Turnstile www.cloudflare.com/products/t...
🔥 Get More Content - Upgrade to PRO
Upgrade at fireship.io/pro
Use code YT25 for 25% off PRO access
🎨 My Editor Settings
- Atom One Dark
- vscode-icons
- Fira Code Font
🔖 Topics Covered
- How to prevent profanity in app
- How to deal with spam bots
- How to prevent website hacking
- Web app security best practices
- Cloudflare Turnstile vs reCaptcha
- Preventing DDoS attacks - Věda a technologie
For those asking, the Toshimichi exploit was simple. My Pocketbase update rule failed to match the auth request userID to the existing message userID, thus allowing any to user modify the content of any message, whoops
This was a fun breakdown. You should do more of these! Or viewers could submit their sites, to have it stress tested. Followed by a review. Interesting stuff
Reminds me of the slashdot effect :) well done.
And yeah, "fireship viewers stress test as a service"... That could make bucks.
This is the funniest video I have ever seen on CZcams.
The best way to protect your chat app is "This video and PocketChat is for educational purpose only*"
actually very useful content for beginners
Obviously you should have implemented a blue check for only valid users who pay $8 for it, which would eliminate any possibility of misuse!
/s
He really should have though. Imagine how much cash he could have raked in from the trolls
Fireship, I understand your painful moderation of the chat app, but I have to say, I had a few of the most fulfilling and satisfying conversations with like-minded individuals there. I haven’t read such intelligent poetry as “elonnnnnnnn#&$@?!“ and “FARTFARTFARTFARTFARTFART†in my entire life.
I felt so dumb I couldn't come up with these
Personally, I enjoyed the endless spam of Twitter URLs containing videos of real-life zoophilia porn (because that's apparently allowed on Twitter, somehow)
@@weblure I'm sorry, WHAT!?! Is this a pre-Elon thing or post-Elon thing?
@@CMDR_Hadion probably both pre and post.
i support the current thing
I feel like a good way to stop the profanity would be to explicitly state that is it allowed.
then you get a swamp
Encouraged, even
yes because people only likes to do things that are forbidden
Aftermath: even more profanity
yeah i dont understand why the man does not allow swearing.. the amount of swears i see in day to day is minimal, and they are used to make a statement otherwise lol.
Reddit meets 4chan for a day? So instructional!! 🙠Thanks! A crash course in security, psychology, best practices. Twitter in a nutshell.
Twitter meets reddit meets 4chan meets discord meets skype meets zoom meets kik meets facebook. Myspace in a nutshell.
I gotta say, I love this channel. Enough tech and humor to get me through work
You can't beat spam on chat apps because chatroom messages are intrinsically spam.
I have seen a timeout of 10min in Discord tho, horrible UX but it was needed at the moment
I don't agree. The difference between spam and any content is value to the audience, and an indicator of the community quality. I would say bad communities devolve in to spam
@@Cyril29a Small likeminded communities can curate a chatroom
@@jesseparrish1993 I don't think they have to be small but they do have to be a real community. That is the essence of my original point
when someone spam, you post their address 😀
If censorship continues in such trends, especially with the use of sophisticated AI, people on social media will become more sarcastic and passive-aggressive :)
I mean that's what's going on in china, so yeah we are heading there.
what if AI learned how to detect sarcasm
@@shareefhassan8197 then it would truly surpassed humans since some of them still don't get it
How to solve h8 speech: realize it isn't real.
@@shareefhassan8197 I'm looking forward to sarcasm evolving beyond what we mere mortals are currently able to understand. I'm looking forward to read complex, deep and artistic walls of text written by the greatest poets of our time, just to insult someones mother.
It's funny to see how programming evolved, but the problems basically stayed the same. I remember the time 20 years ago, when everyone was programming IRC bots to mitigate the same behavior. Maybe on a much smaller scale, tho.
Dude I love how you bring current events into your videos.
These are the most helpful videos for me coming from another specialty. All the pitfalls of practical engineering that you usually have to learn the hard way because nobody vlogs about their failures.
There's currently large scale login attacks on number of industries. These are all good practices to follow but I'd love to hear suggestions on limiting the maniacs with scripts/headless browsers validating the captcha synthetically
headless or no, how do u validate captcha synthetically?
@@DanielNetSet new captcha often works in the background, by checking lots of the browser's info. Probably possible to spoof or something.
Aren't recaptcha/cloudflare will prompt a picture question like you need to pick a traffic light, boat, bike or car from a grid of pictures when they detect something suspicious?
did you not watch the video?
captchas v3 can be easile deceived and captcha v2 is also being cracked by thousand of India guys doing it for couple dollars per 1000 captchas
the last sentences really summed up any approach towards trying to create any program ever made
Part 1: here’s how to build a public chat app
Part 2: ten reason why you shouldn’t build a public chat app
Are you not going to go over the how the exploit worked? That would have been interesting. :(
would love that
Ι _need_ a video on this...
He most likely forgot to add a rule in pocketbase to only allow the user who created the message to modify it.
I assume the "hacker" made a patch request to the message endpoint with the id of the Fireship's message which wasn't disabled or being validated
Pinned comment
This channel is fantastic. The byte sized, high level, and easy to consume content is incrediblely well presented. Kudos man!
This was a really great video into some of the tricker aspects of building simple apps. I mean, a chat app 10 years ago would have been a pain, but today it's easy, but there are still so many little things you need to keep an eye on, and I love how you tackle them in a funny but informative way.
Was amazing how much traffic the demo app got. And it was fun to watch all the exploit attempts in real-time. Would love to see this turned into a series where we continue to strengthen, and stress test the app.
Why can't someone just create a JS framework that does all of this for us? This is what we really need! 😂
100 frameworks that only 1% effective 😆
@@vaisakhkm783 fork the framework, fix all the bugs then give it a new name
@Fireship I can't describe how incredibly useful content like this is. This is so so so useful and would make a great format to keep exploring.
Man, this actually seems like an incredible way of showing people considerations that need to be made when making anything. Streaming it and watching how "trolls", or poltergeists more like, start trying to wreak havock. I love it
0:36 Note, that is an edited headline... it was in fact not about Die Hard.
What was it about?
@@andrewvella7829 she said some bad stuff about LGBTQ+ stuff iirc
She was directly harassing a transgender person in violation of our law on targeted hate speech, pretty fucking tone deaf of Fireship to edit it like this I don’t know what he’s trying to insinuate with this joke
@@supermanifolds that Die Hard isnt a Christmas Movie?
@@supermanifolds I'm glad I dont live in a backwards country where you can go to prison for telling someone what gender they really are.
I like how he censored everything he said except "balls" 😂😂😂
Without context is not profanity.
these are not the balls you're looking for 👋
@@mcrazick8662 even with context it's just a slang word that some people decided is a bit naughty
I would love to see a series or stream where you take a look at the code of viewer-made apps and try to improve upon it or review it
That was more educational than a tutorial. Getting to see what happens when you deploy your app to a large audience is something we rarely see or experience
This is why i love your work!!! I have met so many wonderful people from chatrooms and have always wanted to make a chat app to do the same for future generations buy my got the obscenity/ age verification/ scale that doesn't bankrupt me always had me frozen in fear and I'm so grateful to get a glimpse of what would have happened !! Its so hard to create a safe space..i might save it for when I'm old and retired and can monitor myself lol..thanks for sharing your hard work! I appreciate itðŸ™
You left out the most important piece! How did that guy overwrite your comment? What was the exploit used?
replying so i get notified when he replies
I also wish to know
My update rule in Pocketbase did not verify the request user ID matched the original message user ID
@@Fireship 😬
2:51 is a representation of all of my fears and anxieties encapsulated into one single image.
This is a topic I don't see much about but is something I definitely worry about when making apps with users. Thanks for sharing!
That's awesome dude. I can't imagine how much you learned while you had that up and running. Fun times.
Thanks for the follow-up! I had a feeling there would be some shenanigans. I wasn’t brave enough to sign up myself and look at it.
Amazing work., Would love to see a bit more in depth video about the pocket base performance.
Use auto ChatGPT to shut up some users
This is a great use of AI, maybe one day it will be accurate enough to leave moderation to it entirely
@@evryon1810 don’t forget who decides how the AI was trained to moderate. There’s no “neutral†moderation!
Sounds like a good way to have the internet send you into bankruptcy by spamming you up an OpenAI bill of 1 billion dollars.
Also, OpenAI threatens to shut down accounts that send inappropriate messages to the AI, which hilariously makes it all but useless. Sure, they tell you that you can set up filters to prevent this... But then you're just back to using filters, so what's the point?
Also, ChatGPT is far too restrictive and finds just about anything to be offensive to someone in some way... Unless you find a way to trick it into thinking promoting the holocaust and spamming the n-word is actually a good thing, which isn't that hard to do. Then you're back at square one, except now the spammers are both ruining your app AND making you pay for them to do so.
Regardless, it's way too pricey to useful for anything but the world's slowest internet forum.
@@antoruby being subjugated by AI overlords is all part of the fun
Like how some games use bots presented as real players. So I'm waiting for that to be the next shadow ban innovation. Fake chatgpt interactions for the shadow banned so abusers continue to over commit resources instead of another new account.
Yes! You're a classic fullstack dev!
As from a cyber security specialist view i see this is an absolute win, you performed a real world scenario in which a heck lot of people participated and with your app logs and security records we can study the whole case to implement best precautions for future apps , BRo you can just view the logs and the bugs that people used to abuse , i am just giving my opinion but this is an absolute win you performed an experiment on real world people by staying in a minimum collateral DAMAGE! BRAVo man!
And this is why you never let a Javascript Developer touch the backend. ^^
But seriously, good thing that you made this update, so other Devs can learn from it.
Love this miniseries, both laughed and learned a lot.
Moderation: *exists*
Fireship: I don't need it :)
This was quite insightful. All those standard security practices skipped just to please the Arch and hit the deadline - "Just push to prod, we'll solve it when it comes..." 😂
Awesomely done though! Well done and keep inspiring us like that :)
Too real... Don't forget that the higher ups will blame you anyway because you can't come up with a robust security system within 3 days deadline.
@@YosepRA 3 days?!? Can I apply at your Company?
@@pianissimo7121 As long as you pay for your monthly asylum fee, then yes. 🤣
wow, talk about making lemonade out of lemons 😂 great video, Fire Guy!
I got banned from twitch once for bad user content so I feel your pain. It's just impossible to automate well.
This was very very very educational. Fire content... Keep it coming.
This is a really instructive video for those actually deploying apps in the wild!
The best part was you just trying to have a snack and relax, but the madness just keeps pouring in from the cracks of the ship, lol.
I created a chat app site but not fully working. But spam is something I never thought about. What a nightmare.
ðŸ˜ðŸ˜ðŸ˜ never knew programming videos would have me cracking up like this. Jeff youre the best ðŸ˜âœŠðŸ¼ðŸ”¥
I think this was probably my favorite fireship video ever.
"Nobody wants to use an app that can be spammed by an unlimited amount of hate speech and profanity"
**Twitter users looking away**
Why does your voice drop in pitch randomly throughout the video? Do you change microphones or record at different times of the day? Weird questions to ask but it's one of those micro details that bug me because at first I thought it was two different people recording parts. Thanks, love the videos! 😊
This was fun and informative, thanks!
I run a small global chatroom bot on discord, with the intention to keep it completely free of moderation. This is intentional, as it's an experiment to see how much I can do to make an experience bearable while also allowing what could be considered extremely toxic behavior. The solution that I eventually arrived on to solve this problem is ultimately personal moderation, like blocking accounts on an individual level to tailor an experience for each user. Just recently I started recording "reputation" (it's named karma for the easy Reddit joke) as a similar solution as to how vrchat tackled this problem. The feature isn't 100% live yet, but the values are still being recorded so the feature isn't completely useless right out of the gate. This does run the risk of alienating new users with good intentions as most individuals would probably set a security level above what a new user would normally have, but that's always the risk with these sort of things is the unintended side effects. The blocking feature has the unintended side effect of making users on the receiving end somewhat mad and making them less likely to speak in the room. There's also the problem of culture and non-invasively cultivating something you're happy with by exposing it to groups of people you trust before gradually making it more publicly available
I knew this app was gonna fail hard, but that's ok, because that was the point. These sorts of chat rooms are one of the hardest things to get right and it's important that you give your users the ability to make their experience better, because even if you plan on doing direct moderation, one person can only do so much
I'd like to see you implement all these recommendations and see if you can make it as bulletproof as possible
Max open files is the most uncomfortable lesson to learn when you first start building scaling apps; Gani is a champion for raising that.
Saved to "Project Ideas" folder
Jeff coming in clutch
I remember when a friend was writing soo many emails, he hit the limit and it stopped him because they thought a bot had taken over
This video is fantastic, as always :)
(...takes a moment to recover from the humor response...) Thanks sir, love your channel and sense of humor! May all our ships are belong to fire. Keep up the gr8 jorbs. (That's "thank you" in human talk.)
this went exactly how i expected it to go. well done internet
Last but a great video as always, tho please explain the exploit a little bit.
That edit post about the Norwegian actress made me laugh so hard. For anyone who's curious about the real article in question here, she's actually facing charges because she said the prequels weren't funny.
I absolutely love this so good. Fireship you are a god
may I ask you what is the software you used to draw the 3d flow chart in the video? Thanks ðŸ‘
i was wondering the same thing, hope someone answers
+1
I think its cloudcraft
It’s called cloudcraft
omg the captcha is so relatable
This is the best PocketBase ad ever
I absolutely positively enjoy watching your content. =D
Man does this channel rock 🤟
What is that site you're using for mapping AWS services at 3:42?
I just started laughing my ass off at the starting of the vid and felt proud that how big is fireship gang is.
Nice to see you visiting Leeds
Thank you Mr.Fireship for taking the L for all of us noob programmers that will help shape the next generation internet.
Hah, great video! Security vulnerabilities happen to the best :) Insightful and good learning experience!
3:36 - what app is that?
curious about this as well.
Someone else answered this in another comment: it’s called Cloudcraft
This video is so useful most people don't know... saved and learned...
This is kinda the annoying part of building a public site, especially with user generated content. It always has to start with account/auth/invite/moderation systems, but they are pain in the ass and unfun to develop and conceptualise without users and content in place.
And it also quickly becomes a social engineering problem rather than technical one. To avoid the situations like in the video, comments have to be approved first to appear in public. But a single admin can only do so many approvals, so he has to create an army of mods to do that. And because mods tend not to be of high morals (not to mention being a janny is a boring work), you'd have to create an audit system in place too. Which means a lot of DB interactions start to get lathed with auth-related side-effects and relations, which in turn gets even harder to develop and test. And at some point you end up with a clique of CP-sharing mods who have way too much insider knowledge.
Basically it's a suffering all throughout.
Thanks for sharing your experience. I was about to deploy a similar app using next js and AWS to showcase it in my portfolio. There were lots of things I didn't take into account 😅. You just saved my broke student's ass. 🙇
This is hilarious. I'm glad some of you are chaotic good 😅
“Good�
@@Darth_Bateman Yes because it's harmless fun. If it was bad then someone could have done a lot, lot worse.
What is that UI at 3:36 with all the different AWS components? Is that a design tool, or can you use some type of GUI to connect those things together?
Did you end up finding out?
recaptcha V3 and blocking bots with cloudflare should've been enough to spam but indd rate limiting is a nice thing to add
You could create a contest where people complete by creating same app but trying to solve these problems best
The wisdom, meme and news makes me feel more than alive ✨
Is this why companies have thousands of employees, and why they don't fire them?
want to learn how that person hacked into the app though.. please make a video
I watched this entire video, as a software QA/ Support engineer, and all I got was that Arby's has the strawberries and cream pies back.
Ah yes. This is fitting for me working on a chat room prototyping app as my and of year project
This is how testing in production goes
Sounds like a good way to train a Moderation model - just sit there tagging yes/no. Probably have all the labelled data you could ever need in a day or two.
What was the GUI being used at 3:40?
You should make a video on vertical scaling
I give pocketbase props for handling all this traffic wow
What tool are you using at 3:37? I've seen it a few times and I wanna use it lol
What's the name of the tool used in 3:40 ?
i tooo want to know... that's looks really cool... i have seen multiple places, but no idea what it is
same looks good to design a project ngl
Cloudcraft
Glad you keep your awesome sense of humor. And sharing it.
Does anyone have any idea of how this guy managed to find an exploit to overwrite messages?
probably found the endpoint and passed message id with a PATCH, since Jeff didn't put rules, any user can edit any message.
When building an app for many users you should consider that someone could use your app not through your UI but sending requests directly via some script, postman or even curl terminal. Fireship forgot to check if a request is allowed because those requests are sent from admin panel and that is not available for a regular user but what if a user just knows what request will be like and will just send it bypassing UI? Figures :)
Almost fell off my chair at 1:33 xD
Great video! :D
loll the mean girls musical reference
- allow people to sign up w/o email
- each account has a cooldown timer and/or a post limit per a timespan
- unverified email: +20s timestamp; pooped on a lot: limit of 2 comments/minute; ai suspects toxic comments: [etc]
- you could also do the inverse where everyone might start with a limit of 10 comments/minute but users with "good behavior" can post more
that way you still keep your app just as accessible and easy to use as it was previously but add some more dynamic barriers to prevent spammers, dickheads, and ||suicide messages||
I am learning so much.
The website says "This chat app has been siezed by the FBI", I'm assuming this is just a joke made in the video and u just took it down just cus the project is done, right?