For the first time since our start in 2018, in the month of May 2025, the BikeTag.org website was targeted by an individual who uploaded inappropriate images that were in no way BikeTags. This individual continued to upload images to the website over the course of 4 days as I, Ken, scrambled to delete the images as soon as they were uploaded. By the 4th day, the anxiety of the games being disrupted was too much for me so I implemented the ability to lock down the creation of new BikeTag posts to only players who were logged in. This stopped the attacks.
I say we were hacked but the truth is that someone simply took advantage of a core tenant of this project: to make it easy for anyone and everyone to play the game of BikeTag without needing to log into anything. That means that the upload form accepts anything you give it. We send email notifications to BikeTag Ambassadors with the images that were submitted but unless those individuals catch it in 15 minutes or less the submitted images are accepted and the round moves on. The website was implemented in this way to enable more rounds of BikeTag to be played and for less direct interaction from individuals in order to keep the game moving. After 7 years of smooth sailing, someone finally exploited the open nature of our platform.
I would like to think that the impact was pretty low. I was the only person dealing with the constant uploading of inappropriate images and while I missed a few and they ended up getting posted to the site and other outlets, these items were quickly removed. The days that followed this attack were difficult for several players of one of the games who had to deal with the new requirement of being to be logged in, but after one day most people were able to continue on.
So what does this mean for the BikeTag project moving forward? Well, I can no longer say “surprisingly, luckily, no one has ever maliciously used the website before.” like I used to say. It means that if this happens again we have a mechanism for stopping it that seems to work for low effort, low energy, attackers. It also means that I have a new fear in the back of my mind that someone will try to attack us again and will do so with more effort. I have added several issues to our GitHub repository to be worked on in the future to help safeguard us, but, ultimately leaving the form wide open for anyone to use is a risk.
One solution to addressing this, which I’ve thought about for many years, is to implement object recognition for the uploaded images and to reject images that don’t come back with a high level match for “bicycle”. The services that would allow us to implement something like this are not free, but it would be pretty cool to see the feature implemented. Maybe I’ll take the time to do that at some point in the future.
BikeTag.Bike 