4
13 Comments

A security flaw in Memberstack

I'm looking for a no-code tool to build a paid membership website. Webflow + Memberstack looks like a popular solution. However, after taking a closer look I realized that it's totally unsecure. I mean, the paid content is only hidden client-side. If you only know some basics of the developer console in any browser, you can unhide the paid content by changing one CSS property.

Can you guys recommend a more secure alternative?

  1. 4

    Hi Lukasz 👋 Thank you for posting! You found a bug that we're going to fix ASAP.

    I've shared some more thoughts here plus a few recommendations. Best of luck with your project 🍀

    https://www.loom.com/share/816fe296896844c2b7322b1f7124c638

    1. 3

      Hey @DuncanHamra! Wow! Thank you so much for taking the time to record the video to address my concerns.

      You're right that digital content is inherently stealable. I believe that if a creator has true fans, then they are going to pay for the content, and won't publish it on the Internet. What I'd want to avoid is giving an easy way for bystanders or competitors to steal my content.

      I'm sorry for calling Memberstack "broken by design". I realize that hiding the content client-side is the only possible solution when you don't control page rendering on the server. I hope that my finding will help make Memberstack a better product. Removing the protected elements from DOM should improve the security.

  2. 3

    @LukaszWiktor Check https://www.outseta.com/ , it's a really powerful tool. All things you need for a subscription business.

    Surprised none mentioned it.

    1. 1

      Any docs for this? Would love to see if I can integrate with them.

    2. 1

      This comment was deleted 3 years ago.

      1. 1

        haha, I know that feeling, but thats the life. Nothing is that easy and perfect, and when it's, it come with cost :D

  3. 2

    Good find. Thanks for the info Lukasz. Commenting for more reach- Venkat

  4. 1

    Use bubble.io for this mate. It has everything you need and more.

  5. 1

    We actually solved this recently. All for a price of $19 a month and that comes with landing pages, blog, knowledge base as well. We might be looking to increase to $49 a month but will grandfather existing customers of course.

    Our solution is 100% open source as well, with no vendor lock in.

    By using https://supabase.io/ and https://versoly.com/ (our tool). You can gate member content securely.

    Seems like you have some dev experience so should be very simple.

    You would create a DB in supabase. Connect it to Versoly. Then only your logged in users can see the content.

    This solution also scales. Either by page views (we use AWS and the sites are static) or user content (Supabase can handle 10+ million rows easily).

  6. 1

    Bildr (bildr.com) has all the membership functionality.

    You can restrict pages to authenticated users, and restricted content never leaves the servers.

    Bildr isn't just for memberships, though, so you might need to watch a video to learn how to set up membership stuff specifically... but if you're dev-inclined, you'll pick it up fast.

  7. 1

    Hi there,

    You can check out our platform Softr.io, which allows building membership sites without integrating third-party services. This guide will walk you through the process: https://www.softr.io/how-to/create-membership-website

    1. 1

      Softr looks very promising. I'm going to give it a try. Any discount for a fellow indie hacker? The Professional plan which includes the membership feature is a bit too expensive for me.

      1. 1

        Glad to hear that )) Please, contact us via live chat on our site to discuss

  8. 1

    I'm evaluating MemberSpace now. It's also based on the idea to hide content client-side, but at least they have a more secure option to serve videos and files via a proxy that double-checks if a membership is active.

    1. 2

      This comment was deleted 3 years ago.

Trending on Indie Hackers
How I grew a side project to 100k Unique Visitors in 7 days with 0 audience 49 comments Competing with Product Hunt: a month later 33 comments Why do you hate marketing? 29 comments My Top 20 Free Tools That I Use Everyday as an Indie Hacker 18 comments $15k revenues in <4 months as a solopreneur 14 comments Use Your Product 13 comments