Patreoncommunity.com behaves EXACTLY like a Phishing Attack

I got an email today that looked like it came from Patreon.
"Let’s ~safely~ hang out"

When I hovered the “Join the Forum” link, it directed NOT through patreon.com, but through apms5.com.
When I clicked it, it took me NOT to patreon.com, but to patreoncommunity.com.
That page immediately asked me for API permissions to view my account information.
(Here, I triple-confirmed with @patreonsupport on twitter that this was an official site.)

Then, despite having my information direct from Patreon’s own API, it asked me to make a NEW account, instead of just associating directly with that information from Patreon.

Everything I’ve just described is EXACTLY what a Phishing Attack looks like. An email that looks official comes in, but links to a third party, masking the link URL behind a big, pretty button. Then that link, bounces you to a different site that has the word ‘Patreon’ in it, so maybe it’s for real too. The page doesn’t open to anything, but immediately asks for permissions to view your private data through an API. I mean, you were interested enough to click the pretty button, don’t you want to see what’s behind this permission request? Then you grant the permission, giving the webpage that has the word ‘Patreon’ in it – but ISN’T patreon.com. Now whoever runs this site has your full name, email address, and a really good indication that you believe the site you just logged into IS the real Patreon. Then you have to make a new, separate account, despite this supposedly being Patreon’s page, and despite having just ‘verified’ your REAL Patreon account with the API.

The next step in this process would be an email from ‘support@patreoncommunity.com’ saying “we have reason to believe your account may have been hacked in a recent security breach;” requesting that you change your password to a specific value so that “a support agent” can access it to “verify its security.” And BOOM! You just gave a Phisher all the credentials they need to do whatever they want with your account, including reroute your bank information so your future income is delivered to them, not you.

This site - being an official site of Patreon and doing everything it does when you sign up - TRAINS PATREON USERS to accept this kind of behavior as normal and official and legitimate. For the record, this is NOT normal, official, or legitimate behavior. This is NOT how a responsible web service provider rolls out a simple support forum for its products.

So long as these forums exist at patreoncommunity.com, instead of community.patreon.com
So long as the emails sent link through a third party like apms5.com, whoever they are…
So long as participation here requires an external API permission request to access…
And so long as a new and separate account must be created, just to be here…

Patreon is making the internet less safe. For everyone and all platforms.

Patreon users have this experience on patreoncommunity.com, and it IS the official Patreon method. So it becomes “just how these things work.” Then someone erects a phishing website and sends out emails pretending to by Google, or pretending to be Twitch, or pretending to be - yes even - Patreon… And that email, and that site, do exactly the same thing. Except at the end, you don’t get access to an official support forum, you get robbed and then your account gets deleted when they cover their tracks.

There are ways to implement a forum like this. And PatreonCommunity does every one of them wrong. You might as well distribute an official Patreon app for PC, that requires your users disable their antivirus during install, then asks for administrator privileges every time it opens despite not needing those privileges. Many legit companies have done exactly that throughout computing’s history – and in so doing, trained their customers to think nothing of it. Paving the way for malware, trojans, backdoors, and ransom apps to do exactly the same without end users batting an eye.

YOU might not be abusing anyone by operating like t his, but you are making it EASY for someone else to. You are making it EASY for your users, customers, and clients to be scammed by the next guy, whose intentions are not so benign.

Patreon, please read this, and redress these MASSIVE security flaws in your platform. Otherwise, every Patreon user who falls victim to a Phishing Attack - whether on Patreon itself, or abroad - is on your hands.

1 Like

894 posts were split to a new topic: Welcome! Introduce yourself

Hey @Roninpawn, welcome to the forum.

I wanted to thank you for joining and sharing this in-depth feedback with us. As a non-technical member of the Patreon team, details like this are not as well-known to me as perhaps they should be. I really appreciate you bringing this information to my attention so that I can explore it more.

On reading your post, I took this feedback straight to to our engineering and security teams at Patreon. It is part of a broader discussion we need to have about how we treat these side platforms and the investment we make in them from a technical stance. I’m hoping to get more clarity from our teams about this and I would love to have this forum more integrated into the patreon.com experience.

The safety of our community is absolutely paramount. Thank you again for letting me know about this, I’m hopeful we can make changes to make this experience much safer and feel more trustworthy.

3 Likes

I have to admit, when I first got the invite for this site over a year ago, I was extremely wary because it didn’t seem to be connected at all with the Patreon domain or anything else about it. I did initially think it was a phishing attack and had to do a bunch of digging and I think I even sent an email to patreon to ask if this site was real before I submitted my information.

Since the site was recommendation only after that, I’m guessing a lot of people didn’t have to experience that, but I know you recently opened it up for signups to all creators, so I can see why people are experiencing that again.

3 Likes

On a technical level, this is likely caused by the use of an apex domain for patreon.com - if this forum was on a subdomain, the forum would receive your main Patreon authentication cookies.

It’s unfortunate that the split domain has to exist, but there’s no quick fix here.