I got an email today that looked like it came from Patreon.
"Let’s ~safely~ hang out"
When I hovered the “Join the Forum” link, it directed NOT through patreon.com, but through apms5.com.
When I clicked it, it took me NOT to patreon.com, but to patreoncommunity.com.
That page immediately asked me for API permissions to view my account information.
(Here, I triple-confirmed with @patreonsupport on twitter that this was an official site.)
Then, despite having my information direct from Patreon’s own API, it asked me to make a NEW account, instead of just associating directly with that information from Patreon.
Everything I’ve just described is EXACTLY what a Phishing Attack looks like. An email that looks official comes in, but links to a third party, masking the link URL behind a big, pretty button. Then that link, bounces you to a different site that has the word ‘Patreon’ in it, so maybe it’s for real too. The page doesn’t open to anything, but immediately asks for permissions to view your private data through an API. I mean, you were interested enough to click the pretty button, don’t you want to see what’s behind this permission request? Then you grant the permission, giving the webpage that has the word ‘Patreon’ in it – but ISN’T patreon.com. Now whoever runs this site has your full name, email address, and a really good indication that you believe the site you just logged into IS the real Patreon. Then you have to make a new, separate account, despite this supposedly being Patreon’s page, and despite having just ‘verified’ your REAL Patreon account with the API.
The next step in this process would be an email from ‘firstname.lastname@example.org’ saying “we have reason to believe your account may have been hacked in a recent security breach;” requesting that you change your password to a specific value so that “a support agent” can access it to “verify its security.” And BOOM! You just gave a Phisher all the credentials they need to do whatever they want with your account, including reroute your bank information so your future income is delivered to them, not you.
This site - being an official site of Patreon and doing everything it does when you sign up - TRAINS PATREON USERS to accept this kind of behavior as normal and official and legitimate. For the record, this is NOT normal, official, or legitimate behavior. This is NOT how a responsible web service provider rolls out a simple support forum for its products.
So long as these forums exist at patreoncommunity.com, instead of community.patreon.com…
So long as the emails sent link through a third party like apms5.com, whoever they are…
So long as participation here requires an external API permission request to access…
And so long as a new and separate account must be created, just to be here…
Patreon is making the internet less safe. For everyone and all platforms.
Patreon users have this experience on patreoncommunity.com, and it IS the official Patreon method. So it becomes “just how these things work.” Then someone erects a phishing website and sends out emails pretending to by Google, or pretending to be Twitch, or pretending to be - yes even - Patreon… And that email, and that site, do exactly the same thing. Except at the end, you don’t get access to an official support forum, you get robbed and then your account gets deleted when they cover their tracks.
There are ways to implement a forum like this. And PatreonCommunity does every one of them wrong. You might as well distribute an official Patreon app for PC, that requires your users disable their antivirus during install, then asks for administrator privileges every time it opens despite not needing those privileges. Many legit companies have done exactly that throughout computing’s history – and in so doing, trained their customers to think nothing of it. Paving the way for malware, trojans, backdoors, and ransom apps to do exactly the same without end users batting an eye.
YOU might not be abusing anyone by operating like t his, but you are making it EASY for someone else to. You are making it EASY for your users, customers, and clients to be scammed by the next guy, whose intentions are not so benign.
Patreon, please read this, and redress these MASSIVE security flaws in your platform. Otherwise, every Patreon user who falls victim to a Phishing Attack - whether on Patreon itself, or abroad - is on your hands.