Why my chat app broke⊠a cautionary tale
VloĆŸit
- Äas pĆidĂĄn 21. 12. 2022
- My chat app became overwhelmed with profanity and spam, but all this could have been avoided with better security practices. Let's take a look at essential app security libraries and techniques.
#programming #hacking #tech
đŹ Chat with Me on Discord
/ discord
đ Resources
- Original Chat App Pocketbase Project âą I built a $5 chat app ...
- 7 Web Security Risks âą 7 Security Risks and H...
- Cryptography Concepts âą 7 Cryptography Concept...
- Cloudflare Turnstile www.cloudflare.com/products/t...
đ„ Get More Content - Upgrade to PRO
Upgrade at fireship.io/pro
Use code YT25 for 25% off PRO access
đš My Editor Settings
- Atom One Dark
- vscode-icons
- Fira Code Font
đ Topics Covered
- How to prevent profanity in app
- How to deal with spam bots
- How to prevent website hacking
- Web app security best practices
- Cloudflare Turnstile vs reCaptcha
- Preventing DDoS attacks - VÄda a technologie
For those asking, the Toshimichi exploit was simple. My Pocketbase update rule failed to match the auth request userID to the existing message userID, thus allowing any to user modify the content of any message, whoops
This was a fun breakdown. You should do more of these! Or viewers could submit their sites, to have it stress tested. Followed by a review. Interesting stuff
Reminds me of the slashdot effect :) well done.
And yeah, "fireship viewers stress test as a service"... That could make bucks.
This is the funniest video I have ever seen on CZcams.
The best way to protect your chat app is "This video and PocketChat is for educational purpose only*"
actually very useful content for beginners
Obviously you should have implemented a blue check for only valid users who pay $8 for it, which would eliminate any possibility of misuse!
/s
Jesus Ioves youzx]c\zx[c\]zx[c]\xzc
He really should have though. Imagine how much cash he could have raked in from the trolls
Fireship, I understand your painful moderation of the chat app, but I have to say, I had a few of the most fulfilling and satisfying conversations with like-minded individuals there. I havenât read such intelligent poetry as âelonnnnnnnn#&$@?!â and âFARTFARTFARTFARTFARTFARTâ in my entire life.
I felt so dumb I couldn't come up with these
Personally, I enjoyed the endless spam of Twitter URLs containing videos of real-life zoophilia porn (because that's apparently allowed on Twitter, somehow)
@@weblure I'm sorry, WHAT!?! Is this a pre-Elon thing or post-Elon thing?
@@CMDR_Hadion probably both pre and post.
i support the current thing
Reddit meets 4chan for a day? So instructional!! đ Thanks! A crash course in security, psychology, best practices. Twitter in a nutshell.
Twitter meets reddit meets 4chan meets discord meets skype meets zoom meets kik meets facebook. Myspace in a nutshell.
Jesus Ioves you[c]zx[c]\zx[c\]x[zc
I feel like a good way to stop the profanity would be to explicitly state that is it allowed.
then you get a swamp
Encouraged, even
yes because people only likes to do things that are forbidden
Aftermath: even more profanity
yeah i dont understand why the man does not allow swearing.. the amount of swears i see in day to day is minimal, and they are used to make a statement otherwise lol.
If censorship continues in such trends, especially with the use of sophisticated AI, people on social media will become more sarcastic and passive-aggressive :)
I mean that's what's going on in china, so yeah we are heading there.
what if AI learned how to detect sarcasm
@@shareefhassan8197 then it would truly surpassed humans since some of them still don't get it
How to solve h8 speech: realize it isn't real.
@@shareefhassan8197 I'm looking forward to sarcasm evolving beyond what we mere mortals are currently able to understand. I'm looking forward to read complex, deep and artistic walls of text written by the greatest poets of our time, just to insult someones mother.
You can't beat spam on chat apps because chatroom messages are intrinsically spam.
I have seen a timeout of 10min in Discord tho, horrible UX but it was needed at the moment
I don't agree. The difference between spam and any content is value to the audience, and an indicator of the community quality. I would say bad communities devolve in to spam
@@Cyril29a Small likeminded communities can curate a chatroom
@@jesseparrish1993 I don't think they have to be small but they do have to be a real community. That is the essence of my original point
when someone spam, you post their address đ
I gotta say, I love this channel. Enough tech and humor to get me through work
It's funny to see how programming evolved, but the problems basically stayed the same. I remember the time 20 years ago, when everyone was programming IRC bots to mitigate the same behavior. Maybe on a much smaller scale, tho.
Are you not going to go over the how the exploit worked? That would have been interesting. :(
would love that
Î _need_ a video on this...
He most likely forgot to add a rule in pocketbase to only allow the user who created the message to modify it.
I assume the "hacker" made a patch request to the message endpoint with the id of the Fireship's message which wasn't disabled or being validated
Pinned comment
There's currently large scale login attacks on number of industries. These are all good practices to follow but I'd love to hear suggestions on limiting the maniacs with scripts/headless browsers validating the captcha synthetically
headless or no, how do u validate captcha synthetically?
@@DanielNetSet new captcha often works in the background, by checking lots of the browser's info. Probably possible to spoof or something.
Aren't recaptcha/cloudflare will prompt a picture question like you need to pick a traffic light, boat, bike or car from a grid of pictures when they detect something suspicious?
did you not watch the video?
captchas v3 can be easile deceived and captcha v2 is also being cracked by thousand of India guys doing it for couple dollars per 1000 captchas
Dude I love how you bring current events into your videos.
These are the most helpful videos for me coming from another specialty. All the pitfalls of practical engineering that you usually have to learn the hard way because nobody vlogs about their failures.
Jesus Ioves youzx[c]\zx[c\]zx[c]\
I like how he censored everything he said except "balls" đđđ
Without context is not profanity.
these are not the balls you're looking for đ
@@mcrazick8662 even with context it's just a slang word that some people decided is a bit naughty
This channel is fantastic. The byte sized, high level, and easy to consume content is incrediblely well presented. Kudos man!
This was a really great video into some of the tricker aspects of building simple apps. I mean, a chat app 10 years ago would have been a pain, but today it's easy, but there are still so many little things you need to keep an eye on, and I love how you tackle them in a funny but informative way.
Was amazing how much traffic the demo app got. And it was fun to watch all the exploit attempts in real-time. Would love to see this turned into a series where we continue to strengthen, and stress test the app.
the last sentences really summed up any approach towards trying to create any program ever made
Part 1: hereâs how to build a public chat app
Part 2: ten reason why you shouldnât build a public chat app
Moderation: *exists*
Fireship: I don't need it :)
You left out the most important piece! How did that guy overwrite your comment? What was the exploit used?
replying so i get notified when he replies
I also wish to know
My update rule in Pocketbase did not verify the request user ID matched the original message user ID
@@Fireship đŹ
Man, this actually seems like an incredible way of showing people considerations that need to be made when making anything. Streaming it and watching how "trolls", or poltergeists more like, start trying to wreak havock. I love it
Why can't someone just create a JS framework that does all of this for us? This is what we really need! đ
100 frameworks that only 1% effective đ
@@vaisakhkm783 fork the framework, fix all the bugs then give it a new name
Jesus Ioves youzx]c[zx[c\]zx[
@Fireship I can't describe how incredibly useful content like this is. This is so so so useful and would make a great format to keep exploring.
This was quite insightful. All those standard security practices skipped just to please the Arch and hit the deadline - "Just push to prod, we'll solve it when it comes..." đ
Awesomely done though! Well done and keep inspiring us like that :)
Too real... Don't forget that the higher ups will blame you anyway because you can't come up with a robust security system within 3 days deadline.
@@YosepRA 3 days?!? Can I apply at your Company?
@@pianissimo7121 As long as you pay for your monthly asylum fee, then yes. đ€Ł
This is why i love your work!!! I have met so many wonderful people from chatrooms and have always wanted to make a chat app to do the same for future generations buy my got the obscenity/ age verification/ scale that doesn't bankrupt me always had me frozen in fear and I'm so grateful to get a glimpse of what would have happened !! Its so hard to create a safe space..i might save it for when I'm old and retired and can monitor myself lol..thanks for sharing your hard work! I appreciate itđ
I would love to see a series or stream where you take a look at the code of viewer-made apps and try to improve upon it or review it
That was more educational than a tutorial. Getting to see what happens when you deploy your app to a large audience is something we rarely see or experience
2:51 is a representation of all of my fears and anxieties encapsulated into one single image.
0:36 Note, that is an edited headline... it was in fact not about Die Hard.
What was it about?
@@andrewvella7829 she said some bad stuff about LGBTQ+ stuff iirc
She was directly harassing a transgender person in violation of our law on targeted hate speech, pretty fucking tone deaf of Fireship to edit it like this I donât know what heâs trying to insinuate with this joke
@@supermanifolds that Die Hard isnt a Christmas Movie?
@@supermanifolds I'm glad I dont live in a backwards country where you can go to prison for telling someone what gender they really are.
And this is why you never let a Javascript Developer touch the backend. ^^
But seriously, good thing that you made this update, so other Devs can learn from it.
Thanks for the follow-up! I had a feeling there would be some shenanigans. I wasnât brave enough to sign up myself and look at it.
This is a topic I don't see much about but is something I definitely worry about when making apps with users. Thanks for sharing!
That's awesome dude. I can't imagine how much you learned while you had that up and running. Fun times.
The best part was you just trying to have a snack and relax, but the madness just keeps pouring in from the cracks of the ship, lol.
"Nobody wants to use an app that can be spammed by an unlimited amount of hate speech and profanity"
**Twitter users looking away**
Use auto ChatGPT to shut up some users
This is a great use of AI, maybe one day it will be accurate enough to leave moderation to it entirely
@@evryon1810 donât forget who decides how the AI was trained to moderate. Thereâs no âneutralâ moderation!
Sounds like a good way to have the internet send you into bankruptcy by spamming you up an OpenAI bill of 1 billion dollars.
Also, OpenAI threatens to shut down accounts that send inappropriate messages to the AI, which hilariously makes it all but useless. Sure, they tell you that you can set up filters to prevent this... But then you're just back to using filters, so what's the point?
Also, ChatGPT is far too restrictive and finds just about anything to be offensive to someone in some way... Unless you find a way to trick it into thinking promoting the holocaust and spamming the n-word is actually a good thing, which isn't that hard to do. Then you're back at square one, except now the spammers are both ruining your app AND making you pay for them to do so.
Regardless, it's way too pricey to useful for anything but the world's slowest internet forum.
@@antoruby being subjugated by AI overlords is all part of the fun
Like how some games use bots presented as real players. So I'm waiting for that to be the next shadow ban innovation. Fake chatgpt interactions for the shadow banned so abusers continue to over commit resources instead of another new account.
wow, talk about making lemonade out of lemons đ great video, Fire Guy!
As from a cyber security specialist view i see this is an absolute win, you performed a real world scenario in which a heck lot of people participated and with your app logs and security records we can study the whole case to implement best precautions for future apps , BRo you can just view the logs and the bugs that people used to abuse , i am just giving my opinion but this is an absolute win you performed an experiment on real world people by staying in a minimum collateral DAMAGE! BRAVo man!
đđđ never knew programming videos would have me cracking up like this. Jeff youre the best đâđŒđ„
Amazing work., Would love to see a bit more in depth video about the pocket base performance.
That edit post about the Norwegian actress made me laugh so hard. For anyone who's curious about the real article in question here, she's actually facing charges because she said the prequels weren't funny.
Love this miniseries, both laughed and learned a lot.
This was very very very educational. Fire content... Keep it coming.
I think this was probably my favorite fireship video ever.
(...takes a moment to recover from the humor response...) Thanks sir, love your channel and sense of humor! May all our ships are belong to fire. Keep up the gr8 jorbs. (That's "thank you" in human talk.)
Max open files is the most uncomfortable lesson to learn when you first start building scaling apps; Gani is a champion for raising that.
Yes! You're a classic fullstack dev!
Jesus Ioves you\x]c[zxc[]\zx[c
I watched this entire video, as a software QA/ Support engineer, and all I got was that Arby's has the strawberries and cream pies back.
Jeff coming in clutch
This is a really instructive video for those actually deploying apps in the wild!
Thank you Mr.Fireship for taking the L for all of us noob programmers that will help shape the next generation internet.
This is hilarious. I'm glad some of you are chaotic good đ
âGoodâ?
@@Darth_Bateman Yes because it's harmless fun. If it was bad then someone could have done a lot, lot worse.
I just started laughing my ass off at the starting of the vid and felt proud that how big is fireship gang is.
This is kinda the annoying part of building a public site, especially with user generated content. It always has to start with account/auth/invite/moderation systems, but they are pain in the ass and unfun to develop and conceptualise without users and content in place.
And it also quickly becomes a social engineering problem rather than technical one. To avoid the situations like in the video, comments have to be approved first to appear in public. But a single admin can only do so many approvals, so he has to create an army of mods to do that. And because mods tend not to be of high morals (not to mention being a janny is a boring work), you'd have to create an audit system in place too. Which means a lot of DB interactions start to get lathed with auth-related side-effects and relations, which in turn gets even harder to develop and test. And at some point you end up with a clique of CP-sharing mods who have way too much insider knowledge.
Basically it's a suffering all throughout.
I created a chat app site but not fully working. But spam is something I never thought about. What a nightmare.
Hah, great video! Security vulnerabilities happen to the best :) Insightful and good learning experience!
I remember when a friend was writing soo many emails, he hit the limit and it stopped him because they thought a bot had taken over
This was fun and informative, thanks!
Thanks for sharing your experience. I was about to deploy a similar app using next js and AWS to showcase it in my portfolio. There were lots of things I didn't take into account đ . You just saved my broke student's ass. đ
Man does this channel rock đ€
The wisdom, meme and news makes me feel more than alive âš
I absolutely positively enjoy watching your content. =D
I got banned from twitch once for bad user content so I feel your pain. It's just impossible to automate well.
I'd like to see you implement all these recommendations and see if you can make it as bulletproof as possible
this went exactly how i expected it to go. well done internet
I absolutely love this so good. Fireship you are a god
I run a small global chatroom bot on discord, with the intention to keep it completely free of moderation. This is intentional, as it's an experiment to see how much I can do to make an experience bearable while also allowing what could be considered extremely toxic behavior. The solution that I eventually arrived on to solve this problem is ultimately personal moderation, like blocking accounts on an individual level to tailor an experience for each user. Just recently I started recording "reputation" (it's named karma for the easy Reddit joke) as a similar solution as to how vrchat tackled this problem. The feature isn't 100% live yet, but the values are still being recorded so the feature isn't completely useless right out of the gate. This does run the risk of alienating new users with good intentions as most individuals would probably set a security level above what a new user would normally have, but that's always the risk with these sort of things is the unintended side effects. The blocking feature has the unintended side effect of making users on the receiving end somewhat mad and making them less likely to speak in the room. There's also the problem of culture and non-invasively cultivating something you're happy with by exposing it to groups of people you trust before gradually making it more publicly available
I knew this app was gonna fail hard, but that's ok, because that was the point. These sorts of chat rooms are one of the hardest things to get right and it's important that you give your users the ability to make their experience better, because even if you plan on doing direct moderation, one person can only do so much
Sounds like a good way to train a Moderation model - just sit there tagging yes/no. Probably have all the labelled data you could ever need in a day or two.
This is the best PocketBase ad ever
"Strawberry and cream fried pie now available at participating restaurants" really caught me off guard đđŠđ
This video is fantastic, as always :)
Why does your voice drop in pitch randomly throughout the video? Do you change microphones or record at different times of the day? Weird questions to ask but it's one of those micro details that bug me because at first I thought it was two different people recording parts. Thanks, love the videos! đ
Last but a great video as always, tho please explain the exploit a little bit.
"Good luck and may God be with you"...Dude i died laughing after hearing thisđ
omg the captcha is so relatable
may I ask you what is the software you used to draw the 3d flow chart in the video? Thanks đ
i was wondering the same thing, hope someone answers
+1
I think its cloudcraft
Itâs called cloudcraft
Just revisiting this project again, and wanted to request you to do it all over but with OpenAI's moderation endpoint! Like it is now actually free to use; no joke. It'd be interesting to test profanity now with virtually infinite advanced AI moderation. Lots of apps that require filters are beginning to adopt it.
That would get expensive really fast
This video is so useful most people don't know... saved and learned...
Saved to "Project Ideas" folder
" Good Luck, and may God be with you. " - Pushing anything Live basically
Well, given how users are master of breaking something that just works, I say you did well.
Also, nice of you to make public your failings, so we can learn from it... or maybe laugh, say "I wouldn't make this mistake" and go on to make a very similar one.
- allow people to sign up w/o email
- each account has a cooldown timer and/or a post limit per a timespan
- unverified email: +20s timestamp; pooped on a lot: limit of 2 comments/minute; ai suspects toxic comments: [etc]
- you could also do the inverse where everyone might start with a limit of 10 comments/minute but users with "good behavior" can post more
that way you still keep your app just as accessible and easy to use as it was previously but add some more dynamic barriers to prevent spammers, dickheads, and ||suicide messages||
"How clinically insane is the patient?"
"He knows every JavaScript library and framework."
"Oh dear..."
the problem i've always had with security is #1 my brain doesn't think maliciously by default #2 it's nearly impossible to just imagine every possible scenario and attack vector #3 desperate people with the skills to back it up will inevitably no-life find a way
I think the ideal chat moderation system will some day exist, but it sure isn't there yet. One side would censor everything, the other would 4chan it.
Ah yes. This is fitting for me working on a chat room prototyping app as my and of year project
this is the actual platform for free speech. Not twitter, but a chat app without any security practices
I actually disagree. Thereâs this principle known as the âhecklerâs vetoâ where someone can use manipulative speech to squelch other speech. Thatâs still a violation of free speech.
Ironically, free speech must have some sort of cost associated with it, or else it cannot exist due to spam issues.
I give pocketbase props for handling all this traffic wow
What is that site you're using for mapping AWS services at 3:42?
1:27 here you missed the chance of including an amazing George Carlin reference
Almost fell off my chair at 1:33 xD
OMG! First of all, love your videos! Second of all, holy crap - I'm not the only one that has been given an Arby's sandwich with a screw it in?!?! (Super random minor part of the video but duuuuuuuudeeee!!! lol) Anyway - keep up the great work!
I love the fact that he made a video making an app. Then since the app had problems, he got to make another video about. Common programming W
Now I want a Fried Strawberries & Cream Pastry... Great video!
What is that UI at 3:36 with all the different AWS components? Is that a design tool, or can you use some type of GUI to connect those things together?
Did you end up finding out?
When I pressed this video, an ad showed up saying, "Imagine... if every person in the United States, suddenly visited your website?"
recaptcha V3 and blocking bots with cloudflare should've been enough to spam but indd rate limiting is a nice thing to add
Hahaha this was hilarious :) as somebody who wrote "some bots" before, I haven't met precaution that can't be bypassed, only annoying one is reCaptacha, but on other had there are literally services with API that you can send the base64 of the captcha and get solved (by human) output for fraction of pennies...
You should make a video on vertical scaling