I actually kinda agree with him that these are not the biggest issues around. It is a very common issue (Discord for example has various bugs like this (and iirc even excludes security flaws like this from their bug bounty)) and at least they are working on workarounds.
The bigger issue here is the bad response to the person reporting the bugs.
I could just as easily say that this is a fundamental design flaw shared by Bluesky and Discord; e.g. Signal and IRC don’t have this problem. Security isn’t just about response to criticism, but about making design choices which protect users.
Well IRC doesn’t support rich text at all. Even I can admit some text formatting can be a nice feature sometimes. The “disguised link” issue applies to any medium that allows posting formatted hyperlinks like this: https://example.com/
Allowing this kind of formatting for the link cards seems like an odd choice, and seems to stem from reusing the component for other media embeds. Ultimately it’s just an extension of the same principle. With sufficient formatting, you can obfuscate or spoof your hyperlinks. You could argue that the link preview card feature itself is superfluous and not having it at all would help mitigate the issue. The latter part is true, but you need to consider that some people seem to actually want link previews. It’s a staple feature for IRC bots, too.
It’s true that these oversights make it easier to sneak malicious content in your posts and that presents a legitimate security issue. But I think it’s also true that posting a disguised malicious link is trivial in any social media platform. It’s an issue inherent to the way the web is structured. I would consider these pretty minor as far as security flaws are considered.
My other feelings about Bluesky as a project aside, I’m sympathetic to them on this one. The presented issues straddle the line between a bug and a feature and at least they’re promising mitigations. A noncommittal reply four days later is better than what many companies would give. I’m not commending them for handling this especially well, but I don’t think it’s TechTakes level bad.
I actually kinda agree with him that these are not the biggest issues around. It is a very common issue (Discord for example has various bugs like this (and iirc even excludes security flaws like this from their bug bounty)) and at least they are working on workarounds.
The bigger issue here is the bad response to the person reporting the bugs.
I could just as easily say that this is a fundamental design flaw shared by Bluesky and Discord; e.g. Signal and IRC don’t have this problem. Security isn’t just about response to criticism, but about making design choices which protect users.
Well IRC doesn’t support rich text at all. Even I can admit some text formatting can be a nice feature sometimes. The “disguised link” issue applies to any medium that allows posting formatted hyperlinks like this: https://example.com/
Allowing this kind of formatting for the link cards seems like an odd choice, and seems to stem from reusing the component for other media embeds. Ultimately it’s just an extension of the same principle. With sufficient formatting, you can obfuscate or spoof your hyperlinks. You could argue that the link preview card feature itself is superfluous and not having it at all would help mitigate the issue. The latter part is true, but you need to consider that some people seem to actually want link previews. It’s a staple feature for IRC bots, too.
It’s true that these oversights make it easier to sneak malicious content in your posts and that presents a legitimate security issue. But I think it’s also true that posting a disguised malicious link is trivial in any social media platform. It’s an issue inherent to the way the web is structured. I would consider these pretty minor as far as security flaws are considered.
My other feelings about Bluesky as a project aside, I’m sympathetic to them on this one. The presented issues straddle the line between a bug and a feature and at least they’re promising mitigations. A noncommittal reply four days later is better than what many companies would give. I’m not commending them for handling this especially well, but I don’t think it’s TechTakes level bad.