The Fetlife Meatlist Scandal from a Security Perspective

Standard

I’m an information security professional (penetration tester) in my day job so here’s some thoughts about what has happened so far. I’m going to update as I find out more.

The bad news:
1. 100k usernames and basic info leaked.
2. This was made in response to Fetlife not implementing their top voted suggestion (allowing demographic searches like other kink sites). So it’s an idea that’s been floating out there.
3. This is easily scriptable. Anyone with some decent web development knowledge could write a script that you point at a popular group and it will go through and scrape all the data shown and throw it into a table.
4. Guys are creeps.
5. Fetlife issued a DMCA takedown but didn’t follow up with any legal action or threats so it expired and went back up.
6. Fetlife is so poorly funded they can’t get as many quality developers as they need to keep up with security and updates.

The good news:
1. This info doesn’t have names or real contact info, just things that you could find browsing someone’s profile (but obviously doesn’t negate the creepiness of all the searching being done).
2. People are noticing and upset this time.

What can be done?
1. Privacy controls such as Facebook and Google+ implement. Unfortunately this likely requires a huge re-write of the site and will take time.

2. Paid access. Fix the funding problem and lack of development by starting to charge for features or the entire site. Sucks that a lot of people will leave because of this but it’s better than turning into another collarme or not addressing the issues.
3. More transparency in the way issues are handled. A board running things at the top and not just Baku making decisions.

4. Restrictions on some back end stuff such as database exposure and search limiting.

5. If you are on the list: delete your profile and re-create. You’ll have a new userid # so the link on the list will no longer work.

Also for the love of god people, do not use the same fetlife username as you use with other services that have your public persona.

More info from knowledgeable folks is welcomed!

Advertisements

4 thoughts on “The Fetlife Meatlist Scandal from a Security Perspective

  1. Master K

    Hey Mr P!
    Being in the IT and web hosting Industry, when things like this go down i really start thinking if they can’t prevent lookups through dodgy code then what chance do they have against MySQL Injections or even DDOS attacks.

    For some of us FetLife is an escape from the Closed Minded world that we live in and especially for us it is somewhere that we can be ourselves without it affecting our work lives.

    I run websites for myself and also for clients but even before launching everything it is bug tested after all if it is made by man it can be broken by man! You wouldn’t buy a 6 Million Dollar house and leave the backdoor open while you visit the local shops so why do that with your website?

    At least when the Heartbleed bug came out as a service provider all of our customers were notified and advised to also notify their customers because of how serious it was yet FetLife cannot even spend a few minutes to make an announcement to say “This is what has happened, this is how we are combatting it and furthermore this is how we will prevent it in the future”

    Common Courtesy, decency and reassurance goes a long way in situations like this, there could be bigger things at stake for the people involved as not everyone is open about their lifestyle yet if someone lost their Career, Marriage and/or family over this issue then FetLife would happily claim “Plausible Deniability” although their actions and corner cutting provided the means to facilitating this disaster.

    I Think it’s time for FetLife to start thinking seriously about its future and finally getting the hint that Security is #1 Above all else.

    Master K

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s