
Dropbike: Data Breaches and Free Bike Rides - d4l3k
https://ipfs.io/ipns/Qmea45XwFtdwaCGAPLRMxFmoUP5YLnknc2WGCGQ3HnDP6f/post/dropbike/
======
warent
How disappointing that they wouldn't even give a simple "Thank you" for you
going out of your way to actually inform them. Don't they realize you could've
just harvested the user contact info for a quick buck and sold a cracked
version of the app for weeks/months before they realized it?

Okay, good job code monkey. Now move along, we have to get back to focusing on
our shitty business.

~~~
d4l3k
Oh, the guy from support was fairly polite. I cut down his responses a bit for
the sake of brevity but I'll clear that up.

For example the initial exchange was:

> Hey Tristan, thanks for reaching out to us about this. We really appreciate
> you telling us about this. We don't have a bug bounty scheme, but I've
> forwarded your feedback to our software team. Thanks again, Tristan.

------
hardwaresofton
This is super tangential to the content of the post, but can we take a moment
to bask in the use of React Native here -- and the fact that it wasn't obvious
it was a React Native app until the OP took the app apart?

Solutions like React Native, NativeScript and Flutter are providing real
developers alternatives to trudging through bullshit on two separate app
platforms just to deliver a similar looking experience to two walled gardens.
This makes me happy.

BTW - I'm not even a React fan, I think it's over-engineered/not as simple as
it should be. However it is/was a paradigm-shift type project and the divorce
from the DOM model to enable support for something like React Native was a
great move as well.

~~~
ReverseCold
You can tell it's react native if it lags (at all). No native app should lag
on a modern phone.

I wrote an app that locally loops over 5MB of JSON and then sorts it based on
a datetime string (which is converted to a date class) - and it does this
every few seconds. You can't tell that this is happening though, because the
phone doesn't lag. It doesn't even use a significant amount of battery. It
just works.

I wrote the same app in React Native + NativeBase earlier, and even though I
implemented that in a smarter way, the app still lagged. Even just a general
react native app that doesn't do anything weird just feels "off" sometimes.

Source: Wrote the same app 4 times (Swift, Java, React Native, Flutter) -
Flutter was the clear winner, and a joy to work with.

~~~
rawrmaan
Not true! Play my game Falcross
([https://www.falcross.com](https://www.falcross.com)) on iOS or Android and
tell me if you feel any lag. It's written in React Native. Less than 3% of the
UI is native code.

You CAN make highly performant software, even games, with React Native. You
just need to take the time to truly understand the platform, and you will reap
massive benefits.

~~~
ReverseCold
Cool! I play that game.

Here's a very unscientific test (showing GPU usage) I did on the Note 8
switching between menus really quickly. It's barely noticeable (if at all) for
me, but it certainly shows on older phones.

Canvas for Android (Native):
[https://i.imgur.com/5mWueG7.png](https://i.imgur.com/5mWueG7.png) Falcross
Menu: [https://i.imgur.com/DpKVNDK.jpg](https://i.imgur.com/DpKVNDK.jpg)

(It's also important to note that this isn't noticeable at all on iOS. The app
is buttery smooth with a consistent framerate on iOS.)

Other than that, a few nitpicks: The "recently played" icon at the top is
clipped for me, the energy/star/circle icons at the top flicker when you
switch views, etc.

Things like that basically don't happen if you use "real" native development
(or Flutter) with "real" native components.

~~~
rawrmaan
Hi there, thanks so much for the bug reports! Would love to see a screenshot
of the clipped icon if you could e-mail it to me at rawrmaan@gmail.com.

The flickering when viewing lightbox/modal views is actually due to my
navigation library, react-native-navigation, which is otherwise excellent. I
believe they're fixing that in their v2 release, at which point those
transitions should be indistinguishable from native.

I've also made a ton of progress on Android performance in the past month,
including the mindblowing realization that I had set hardwareAccelerated=false
in my app's manifest over a year ago. The game should now be very smooth in
all views, even on very low-end Android devices :)

------
kibwen
I'm going to tip my hand here and admit that I upvoted this before ever
reading the post simply because I've never seen an IPFS link in the wild
before. :)

~~~
favadi
... and the page doesn't load for me at this moment.

~~~
prophesi
Yeah, ipns links are pretty slow compared to ipfs links.

The best practice is to have a domain using dnslink[0] which always points to
the most recent IPFS hash on a gateway with the content already pinned. I
believe this is what the IPFS team does for their blog, using a combination of
a static site generator and web hooks.

[0]: [https://github.com/ipfs/go-dnslink](https://github.com/ipfs/go-dnslink)

~~~
xur17
I just installed ipfs and noticed this as well - ipns performance is pretty
terrible. I tried loading a page that was created (and therefore stored) on my
node, and it takes a good 10 seconds to load).

edit: looks like this might be relevant: [https://github.com/ipfs/go-
ipfs/issues/3860](https://github.com/ipfs/go-ipfs/issues/3860)

------
lgierth
Link without IPNS, for those who hit cold caches: \-
[https://ipfs.io/ipfs/QmTUZvRskteBwACHPAepefPLDKhJctWmY6E2XJG...](https://ipfs.io/ipfs/QmTUZvRskteBwACHPAepefPLDKhJctWmY6E2XJG9v78oij)
\- ipfs://QmTUZvRskteBwACHPAepefPLDKhJctWmY6E2XJG9v78oij (with ipfs-companion)

~~~
d4l3k
The issue with just sharing the /ipfs/ version instead of /ipns/ is that I can
no longer update the site and I just made a small edit to clarify some stuff
so that link is already out of date.

As an alternative, I'd recommend either my website:
[https://fn.lc/post/dropbike/](https://fn.lc/post/dropbike/) or the cloudflare
AMP cache [https://fn-
lc.amp.cloudflare.com/c/s/fn.lc/post/dropbike/](https://fn-
lc.amp.cloudflare.com/c/s/fn.lc/post/dropbike/)

~~~
lgierth
You're right - I basically timestamped the then-current version of the name
into a hacker news comment :)

------
tomglynch
Can't access the link - any one provide a mirror for me?

~~~
tomglynch
Mirror: [https://fn-
lc.amp.cloudflare.com/c/s/fn.lc/post/dropbike/](https://fn-
lc.amp.cloudflare.com/c/s/fn.lc/post/dropbike/)

------
stockkid
This is pretty cool. But i feel that there's nothing "show hn" about it.

~~~
DC-3
Doesn't the open API library qualify? Though maybe that should be reflected in
the title.

~~~
d4l3k
Sorry if it's not a traditionally formatted Show HN. However, I did write an
open source version of their app while doing this.

[https://github.com/d4l3k/opendropbike](https://github.com/d4l3k/opendropbike)

It's not quite production ready, but does most of the basic things.

~~~
Globz
Don’t be sorry! This is such a great write up! Thank you for sharing and I
hope they realise how lucky they are that you properly disclosed BOTH
vulnerabilities with a 30 days notice before public disclosure. I hope they
will follow your advice, or else I believe this won’t be the last vuln of this
scope to hit them if they chose to ignore good security practice!

------
Semaphor
Sorry for the tangent, but I find it highly ironic that an ipfs site does not
work without allowing "ampproject.org"…

------
HiroshiSan
This is a great example of one of the pitfalls of iterating quickly if not
done properly.

------
iask
Nice work!

Dropbike - send this candidate an email saying “You, sir, are hired”.

------
ttty
great find. I guess there are so many low sec companies

------
Smushman
Nicely done friend! Learned everything from your writeup too!

------
kapauldo
Wow what a great write up. I respect your engineering and writing skills.

