49
35 Comments

Got hacked. Hired the hacker!

Sup!

My SaaS was hacked by a Russian hacker. He figured out how to trick the websites limit and was able to create 2 websites on a free plan.
The case actually ended good and it turns out he will work with me on Unicorn Platform.

But how did it happen? Let me tell you the whole story.

It was the first day when I started to come out of my 2 months long isolation. The first thing I did is moved to coworking.
I can live without a GYM, without a barbershop, without a night club, without a food market, but I can not live without a separate place to work. All those "set up a context", "make a schedule" things just do not work because I rent the smallest possible room to live and re-invest all the revenue back to my project.

So I moved to coworking. And I worked for 6 whole hours.
Man, that was awesome! Doing your work productively is the best feeling in the world. It makes me feel alive.

After the working day, I left my laptop in the coworking because I use a heavy Macbook Pro 2012 and do not want my back hurt. Besides, leaving a laptop at work (https://t.me/serene_startup/37) helps me to get more quality rest at home.

I skateboarded at home and when I fell on my sofa I saw this: Intercom chat screenshot
It means: "look at what I can do))".

I pushed the panic button!
Dozens of ideas instantly came up. What can possibly go wrong and how to prevent it.
The first thing I decided to do is to just talk to him. After all, if a hacker wrote first, he wants to talk. It gives me a chance to make him stop his games.

So we talked. He turned out to be a friendly and cool man. He hacks startups for fun, not for cash or glory.
I asked him to tell more about himself. The hacker is actually interested in the startup community and wants to build a product too, but he knows too little about marketing. I promised to teach him how to promote products in exchange for a security consultancy.

He already gave a couple of valuable security and performance insights.
I hope we will continue working together to make each other happier!

🤓

Unicorn Platform got some pretty updates:

301 redirects:
Now you can set up redirects.
It is very useful if you moved to Unicorn Platform from another website builder.

Here is how it works: open our Notion-based changelog: https://unicornplatform.com/changelog

Unicorn Platform 301 redirects

Bye Google!
I decided to quit Google Analytics. It has many disadvantages: Google does not respect data privacy, GA has a steep learning curve, GA is blocked by adblockers. So I'm now a happy user of Fathom.
Check out our sweet public analytics page: https://app.usefathom.com/share/svwhbfnj/unicornplatform.com

View this update on Broadwise.org https://broadwise.org/t/unicorn-platform-landing-page-builder-for-startups/126/10]

or on Twitter https://twitter.com/unicornplatform/status/1263053305527361536

Icon for Unicorn Platform  by John Rush
Unicorn Platform by John Rush
on May 20, 2020
  1. 3

    That was a fun story.
    Congrats to boty of you and moving out of the GA.
    I did it too a week ago and it feels great.

    Good luck to you two !

    1. 1

      Hey Michael. Thanks for the warm words.
      Just curious: what analytics tools did you move to?

      1. 1

        Well I colors & fonts is powered by Netlify so it felt logical to go with their analytics.

  2. 2

    Great story :D how were you able to talk to him?

    1. 1

      Guten abend!
      Luckily, he started the communication by himself in my on-site Intercom chat 🤓

      1. 1

        👋 ahh, had some fancy things in mind, like writing into a file he injected or something like this. But great outcome anyways.

        1. 1

          Ha-ha I'm glad the story is not as exciting as a Hollywood movie 😅

  3. 2

    Hahah brilliant story, congrats on being hacked! Also well done on the new custom fonts and colour options! That’s been a game changer for me !

    1. 1

      Thanks man! 👍 Please let me know if there is something important I need to add to the platform. Even the craziest ideas are welcome!

      1. 1

        Ah maybe not so important, but an easy way to auotplay self hosted videos would be good - if it has demand from other people. I wrote it on this pro tip - you have to scroll down past my profile header to see the tip: https://yourstack.com/pro-tips/452-autoplay-videos

        1. 1

          I see. This is actually not a crazy idea, but a cool one!

          I refused to create components for non-3rd-party-hosted videos, because I was afraid people will start hosting long movies and my traffic check will spike. I was already overcharged a few times because I forgot to disable videos uploading.

          And until I figure out how to serve videos cost-efficiently, I will not allow them back.

          But here is you and your idea! 🙂 I did not view this from the perspective of someone who can upload files to AWS S3 and get a direct link to a video. I forgot users can upload videos on their own servers.

          I will take care of it and prepare options for self-hosted videos.

          Thanks!!! 💜

          1. 2

            😀 great, happy to give you that idea! I think the similar trick works for Wistia.com embeds.

            Embeds in general is another idea — at the moment you have custom html, but many sites give you an embed code (sometimes an Iframe) ..there’s no easy way to paste it in. At the moment you have to recreate a layout with custom HTML to slot in the embed.

            1. 1

              Wistia is on the todo list.

              I can create a set of pre-designed slots with HTML to paste. This will be epic. Thanks!

  4. 1

    Nice story. My only concern would be - clearly this guy doesn't care much for ethics, etc., who's to say he's not going pull a fast one on you and hack something else when he gets bored or upset.

  5. 1

    At a company that I will not disclose here we once got hacked, in an ugly way. The guy from Poland, an internet security professional, grabbed our AWS master key. We got back to him, offering him about 10% of our monthly infrastructure costs for his unsolicited "service" and kindly asking for a consulting invoice. The email had some inoffensive legal statements, too, but we really did not want to piss him off. Result: never heard from him again.

    1. 1

      Whoa. How did you find out the master key was stolen?

      1. 1

        The guy wrote us and showed it to us. Not one of the most funny moments in my life.

        1. 1

          Gosh I feel you. This sucks.

  6. 1

    Thanks for sharing the link to Fathom. I'll give it a try.

  7. 1

    He didn't ask you for bitcoin? LOL

    I received tons of emails saying I need to buy back my masturbation videos with BTC.

    1. 1

      Stop making so many then...

  8. 1

    Maybe you can share the vulneberability if it's possible, just for learning how to prevent it.

    1. 1

      That was a typical writing access mistake. I forgot to ban writing some internal fields of a model.

  9. 1

    What a story! Luckily he wasn’t a bad guy after all and didn’t ask for some crypto ransom!

    1. 2

      It is not reasonable to extort money from a tiny bootstrapped project🤓

  10. 1

    Hey Alex. Thanks for sharing about Fathom. I couldn’t find on their website, but how does it work? Do you upload a script to your server? I know some GA alternatives work server side and Fathom says that you could use a custom domain but they also mentioned cookies while staying GDPR compliant so I’m curious.

    1. 3

      Hey!

      It works on the client (JS). Basically, it works like GA from my side. There are 2 things which are different:

      1. I set up a CNAME for a subdomain to serve the script from my own domain:
        Serving the analytics script
        It is done to avoid blocking the tracking by ad blockers. Someone may think it is inappropriate but I agree with the Fathom that it is fine to anonymously collect visitors' data.
        It helps me to make a better app and make better marketing efforts, to then earn more money and therefore make an even better app.

      2. Fathom uses localstorage instead of cookies.

      1. 1

        Just FIY cookies is not the technical term for browser cookies under GDPR but includes any means of saving data in the browser, local storage included.

        That means it's not GDPR compliant. (and not privacy friendly, that's almost like saying you're anti-gun when you're using knifes to kill people...)

        1. 1

          GDPR offers 6 lawful bases for processing data. We don't save anything in the browser / local storage. Alexander is using Fathom Pro, which is cookie-free and privacy-friendly. We don't use localstorage. We only use localstorage for excluding your own visits, and it's fully consensual as required by law :)

        2. 1

          Thanks for the valuable note, Jason.
          I still do not follow all the GDPR rules and I feel shame about it.

      2. 1

        Thanks for the response. Local storage is a smart way to do it.

    2. 1

      Sadly they don't offer any free tier.
      I use slimstats, I wish I could avoid cookies.

      1. 1

        I used Slimstats in one of my previous WordPress-based projects. It worked smoothly.

        What I like in Fathom is what I can share the link with my stats (https://app.usefathom.com/share/svwhbfnj/unicornplatform.com).

        People love digging numbers and I share it with pleasure. But previously I had to create screenshots. It is not a convenient way to share numbers 😅

Trending on Indie Hackers
Meme marketing for startups 🔥 User Avatar 11 comments Google Whisk - Generate images using images as prompts, not text prompts User Avatar 1 comment After 19,314 lines of code, i'm shutting down my project User Avatar 1 comment Need feedback for my product. User Avatar 1 comment We are live on Product Hunt User Avatar 1 comment Don't be a Jerk. Use this Tip Calculator. User Avatar 1 comment