Streaming live at 10am (PST)

[RESOLVED] Questionable Webflow Security Practices


#1

Hello everyone.

Today I was browsing reddit.com/r/programmerhumor and came across this highly viewed post showing a website as an example of "How not to do user registration." I laughed at the post, then almost moved on...

But then, believe it or not, I found out the website in question was Webflow after reading a user comment who researched it further.

The good news is that the poor approach to user security was (apparently) quickly fixed after someone posted about the weakness on Webflow's Facebook page. That Facebook post is now deleted.

The bad news, and my question here for the Webflow team today, is how can I trust that Webflow is responsible enough to handle my personal information after this recent display of poor user registration?

I have credit cards and passwords hooked up to your services, Webflow, and I am shocked to see you took such a poor approach to user security. I am now worried about my privacy as a paying user of Webflow and would like some reassurance that my valuable information is in good hands. I am now worried and concerned that other parts of your website (beyond user registration) have major security flaws that put my private information at risk.

Please address.

Sincerely,
Christopher


#3

Hi @ctraver2 - we actually have no idea who posted what content was posted on our FB page. None of us were made aware of this issue until now.

We're taking a look now to see what caused that particular user to run into that issue. Your security and privacy is our number 1 priority, and we take every measure to ensure the safety of your data. Also, your CC information is securely held by Stripe.com, we never store CC information on our servers.

Update: we've reached out to the user on reddit to get more details. At first glance it looks like a front-end javascript error with the angular form, potentially caused by a Chrome extension that was interfering with the form submission.


#4

Hey @brryant,

Thanks for doing research into this issue and identifying what might have gone wrong with that user's particular situation. I am also happy to hear all transactions and credit card info are secured via Stripe.

Hopefully it is understandable why I was concerned/surprised when I came across the post and I want to let you know that, on the other end of the spectrum, I am thankful you took the effort to establish communications with the original poster.


#5

This topic was automatically closed after 60 days. New replies are no longer allowed.