NBC, you look like a big company behind a big talent show. But have you ever thought about your security on your voting endpoints? 🤔

I care about API security and audited your API endpoints…

Basically you can vote how often you want and you can — theoretically — get the point statistics of the whole event by bruteforcing the emails and unique identifiers. You just have to generate the right `Authorization` value and just need to have enought computing power to do the point gathering!

I DID THIS FOR TESTING PURPOSES ONLY, DIDN’T MASS-VOTE!

Start the technical “hacking” — (nothing to hack)

Hmm 😂 —NBC, I expected you to be prepered in any way to secure the voting of the performing artists! But as I figured out — like in every live show — it wasn’t like this. Everyone can vote Thousand/Million times through the API. Who can be sure you messured the right votes in your database? …

After setting up a VPC for an AWS Lambda function, your function will lose access to the internet because network interfaces created by Lambda only have private IP addresses, you will not be able to use an IGW to gain internet access. — AWS

I had some troubles to enable internet access again after I setup a VPC. I tried every tutorial and read every AWS documentation and forum but I was too dumb to set it up correctly with these ressources.

Now I want to share my “trial and error” solution 💪

My initial setup:

I had 1 VPC with 4 public subnets in…

In this post I will explain to you why I have to track every outgoing HTTP(s) request to an external source and how I solved it.

First of all let me introduce our 🐳Swelly 🤖Chatbot for Messenger, Kik and Telegram. Our Bot helps people to make better decisions and helps other users with opinions. I don’t want to go into detail now, just try it to see the functionality or read our latest blog post.

In my last blog post I wrote about our first chatbot and the challenge to identify users.

We get a page-scoped user-id from Messenger, so we can’t match existing users with their app-scoped user-id, even though we are using the same FB App for Facebook Login and Messenger Bot Integration.

(..) Ids are page-scoped. These ids differ from those returned from Facebook Login apps which are app-scoped. You must use ids retrieved from a Messenger integration for this page in order to function properly. — Source: Facebook Docs

In my test I had the following user-ids:
page-scoped user-id: 1026377564065xxx (through Messenger Bot)
app-scoped user-id: 10205652825102xxx (through FB App, Facebook Login)
These user-ids are totally different — so we can’t check if the user already exists in our database. We need a user identification to save all votes and swells. …

At 🐳Swell we help people make better decisions by collecting their friends opinions. We have an iOS App for that in the AppStore. (It’s currently Invite-Only — you can use this Code to enter: FBBOT1)
Since Facebook opened Messenger for Bots, this was something we had to jump on right from the beginning.

First let me tell you, how our iOS App works:

Hello and welcome to my new blog about programming (NodeJS), bots, cloud computing, backends, software concepts, devOps, … So in general I want to share my tech experience from the last couple of years. You know there are a lot of problems in the world you can solve with software. I will show you solving concepts based on real projects/problems, sometimes with step-by-step tutorials.

First of all let me introduce myself. My name is Philipp Holly, I grew up in Austria and live currently in Los Angeles (since 2016). I am programmer since I was 14. Building software systems is my passion, my hobby. …