This is why we can't have nice things!
You use the saying, "This is why we can't have nice things!" when you're frustrated because you try to do something nice to others, and some idiot abuses or exploits that kindness to achieve something solely for his own benefit while at the same time hurting or harming others.
I've been in the hosting/SaaS industry for more than 15 years. I knew that, sooner or later, someone would try to find a way to abuse Herodesk, too.
I remember it clear as day from when we offered Shared Webhosting in Meebox.
We were hosting thousands of Wordpress installations on behalf of our customers. These installations were, more often than not, either not up-to-date or loaded with tonnes of crappy plugins that had all kinds of security issues.
So, that was exploited by people with bad intentions, and it was almost a weekly event that a vulnerable Wordpress installation hosted with us was hacked and abused to try to send thousands of SPAM emails (our monitoring systems usually caught this pretty quickly, so it rarely became an issue, but it sure was annoying).
A few months ago, we started offering a 14-day free trial of Herodesk for all new signups.
Instead of onboarding you on our free account, we give you two weeks on our Plus plan with all features enabled, so you can "try before you buy". We've received great feedback on this. New customers really like it.
A few weeks ago, however, I noticed something strange. New accounts being created with bogus names and contact info. Maybe it was just someone who wanted to check out Herodesk anonymously. But then they started sending emails. Lots of emails.
I gotta admit that the way they pulled this off equally impressed and annoyed me...
We don't have an API that can be exploited or any other way of automatically bulk-sending e-mails. Instead, they took their time to carefully study and understand the autonomy of Herodesk and how it works (this is the part that impressed me).
This is what happened...
- They set up a Rule (an automation) that whenever a new contact is created, it should send an e-mail to them. Under normal circumstances, this can be used for all sorts of legit purposes. But...
- Then they created 4-5 contacts manually to check that it worked (it did, obviously)
- Next comes the "fun" part. We don't have an API or import function to bulk-create contacts. Instead they created a script on a $5 /mo. VPS somewhere and re-used their authentication- and CSRF tokens to mimic manually creating contacts, and started to create hundreds per minute. And when they did, an email was sent to them.
Pretty clever...
We spotted it immediately and stopped the emails from being sent, but we wanted to see how it played out. From here, it went back and forth a few times.
We put rate limits in place to prevent quickly creating so many new contacts (no real user does that anyway). They found another way to create contacts (there are two). So we rate-limited that, too.
We then disabled the "send email on contact create"-feature for free trial users (can be opened on request). They added a credit card(!) to the account to get access.
We suspended the account and blocked a whole lot of IP addresses. So far, those things combined did the trick.
We purposefully didn't just suspend their account right away. We wanted it to play out and see what happened and what we could find.
Besides some spam emails, no harm was done, and we learned a lot that has helped improve our system.
But the lesson remains the same: No matter how much you try to protect things, if it's on the internet and it's publicly available, someone will try to exploit and abuse them. It's a never-ending rat race, and you've gotta stay ahead!
This is why we can't have nice things.
