How I Learned Cyber Security By Being Attacked By Reddit Trolls

Joe Rezendes — Cyber Security
Joe Rezendes — Cyber Security
Cyber Security is often overlooked by Junior Developers

This was a journey that started in January of 2018. At the time I was a pretty confident front-end developer that was learning how to create full-stack web applications.

I decided to poke around in a community that I knew about. I picked a small community of Minecraft hackers.

I started off with a proof of concept. A single post on Reddit asking if there would be any demand for a web-app that allows users to post reviews about other players.

Here is the original reddit thread: Click Me (Strong language inside)

Image for post
Image for post
Top Comment on thread

After I posted my thread I was greeted by comments like these. The great thing about posting on Reddit before building my first web-app was that I was able to see the demand, get feedback before I began coding, and get people excited to use the app.

A day or so after that initial thread, I put together a very basic version of the website and posted a new thread, in which I welcomed the community to the Beta! Thread Here

Image for post
Image for post
Some comments from that thread

Taking inspiration from anonymous websites like 4chan where users don’t have to register (And I didn’t know a single thing about authentication at the time) I decided to make the website open for anyone to post.

This worked really well for a few hours, and I was really proud refreshing my page and watching new reviews for players come in.

However, all of that changed when the Reddit trolls attacked!

It wasn’t long before I received private messages of people posting porn and gore on the webpage. The worst thing however, was the IP loggers.

In my naive expertise, I decided it would be a great idea to let anonymous users upload images by direct URL. This allowed users to load IP loggers onto the page so that anyone that came online would get their IPs snatched.

Image for post
Image for post
Sorry about that…

So inadvertently I gave out approximately 200 people’s IPs. At the very least however, this didn’t seem to be an issue because nobody reported any issues as a result.

Several hours later was when the spammers attacked. I remember vividly clearing my database as they came. But people were fast, and some resorted to automated scripts that would post long streams of characters. This would be an issue for a long time.

My solution was authentication. I had learned how to do it in class the day of, so I quickly put together a user model and added different levels of permissions. One of which was admin status.

I recruited my team of admins by figuring out who used my website the most. This resulted in a highly motivated groups of admins that liked the website.

Image for post
Image for post
The Admin Portal

After creating an Admin portal, I made it so incoming posts had to be approved. This cut the spam down by quite a bit, since nobody could approve a post without being an admin.

The issue then was people editing user reviews by sending post requests to the server. To access the page you had to be an admin, but to send a post request you just had to be logged in. This continued on for some time, along with people creating hundreds of thousands of users by spamming account creation. (Back-up your databases every now and then!)

Income Google’s ReCaptcha!

Image for post
Image for post

After signing up, I found a really easy to use NPM plugin to set up on all my post routes.

I can’t recommend this enough:

This was all that had to be done in the backend to get the job done.

After adding captchas to everything things were all good and dandy.

The web-app is now in version 3.0 and I’m quite happy with the results.

Being attacked by Reddit Trolls gave me the opportunity to improve myself as a developer. Many of them messaged me that they were going to attack my website until I gave up. In the end I took this conflict as motivation to succeed.

More than that, I’ve learned a valuable lesson: Ship products early and get people excited about your software. It feels great getting live feedback from users and it empowers them when their suggestions turn into features.

The best way to learn Cyber Security is by implementing it while under pressure.

If you enjoyed this article why not follow me on Github?

Written by

Jazz Trombonist turned Marketing Executive turned Software Engineer. Constantly learning more and improving myself. Writing about technology and the arts.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store