Well IRC doesn’t support rich text at all. Even I can admit some text formatting can be a nice feature sometimes. The “disguised link” issue applies to any medium that allows posting formatted hyperlinks like this: https://example.com/
Allowing this kind of formatting for the link cards seems like an odd choice, and seems to stem from reusing the component for other media embeds. Ultimately it’s just an extension of the same principle. With sufficient formatting, you can obfuscate or spoof your hyperlinks. You could argue that the link preview card feature itself is superfluous and not having it at all would help mitigate the issue. The latter part is true, but you need to consider that some people seem to actually want link previews. It’s a staple feature for IRC bots, too.
It’s true that these oversights make it easier to sneak malicious content in your posts and that presents a legitimate security issue. But I think it’s also true that posting a disguised malicious link is trivial in any social media platform. It’s an issue inherent to the way the web is structured. I would consider these pretty minor as far as security flaws are considered.
My other feelings about Bluesky as a project aside, I’m sympathetic to them on this one. The presented issues straddle the line between a bug and a feature and at least they’re promising mitigations. A noncommittal reply four days later is better than what many companies would give. I’m not commending them for handling this especially well, but I don’t think it’s TechTakes level bad.
Well IRC doesn’t support rich text at all. Even I can admit some text formatting can be a nice feature sometimes. The “disguised link” issue applies to any medium that allows posting formatted hyperlinks like this: https://example.com/
Allowing this kind of formatting for the link cards seems like an odd choice, and seems to stem from reusing the component for other media embeds. Ultimately it’s just an extension of the same principle. With sufficient formatting, you can obfuscate or spoof your hyperlinks. You could argue that the link preview card feature itself is superfluous and not having it at all would help mitigate the issue. The latter part is true, but you need to consider that some people seem to actually want link previews. It’s a staple feature for IRC bots, too.
It’s true that these oversights make it easier to sneak malicious content in your posts and that presents a legitimate security issue. But I think it’s also true that posting a disguised malicious link is trivial in any social media platform. It’s an issue inherent to the way the web is structured. I would consider these pretty minor as far as security flaws are considered.
My other feelings about Bluesky as a project aside, I’m sympathetic to them on this one. The presented issues straddle the line between a bug and a feature and at least they’re promising mitigations. A noncommittal reply four days later is better than what many companies would give. I’m not commending them for handling this especially well, but I don’t think it’s TechTakes level bad.