zlacker

[return to "So this guy is now S3. All of S3"]
1. Cianti+u2[view] [source] 2023-05-04 19:04:23
>>aendru+(OP)
Solution is also on the works like use /.well-known/, so this is more like funny, rather than a big problem.

Key to trick was to have bucket named "xrpc" and store a file there: https://s3.amazonaws.com/xrpc/com.atproto.identity.resolveHa...

There is also another funny thing in the image, the user posting about is sending one from "retr0-id.translate.goog", which is odd. Somehow he has got https://retr0-id.translate.goog/xrpc/com.atproto.identity.re... to redirect to his page, and gotten that handle as well.

◧◩
2. chrism+F7[view] [source] 2023-05-04 19:27:14
>>Cianti+u2
Eh, it’s worse than just funny; it’s concerning, because they should have known about and easily avoided this kind of vulnerability, it’s standard stuff you have to think about. So what else have they missed?
◧◩◪
3. stevek+c8[view] [source] 2023-05-04 19:30:09
>>chrism+F7
This is a private beta. Nobody is suggesting that any of this be used for anything serious just yet. Development happens out in the open, you can go find out what else they've missed by doing the work, or by waiting until others you trust have done so.

I myself have had an account for like a month now, but only started really using it a week ago, because that calculus changed for me, personally.

Like, it's not even possible to truly delete posts at the moment. This all needs to be treated as a playground until things mature.

This isn't even the first "scandal" related to this feature already!!!! There is another hole in what currently exists that allowed someone to temporarily impersonate a Japanese magazine a few weeks back.

◧◩◪◨
4. 9dev+v9[view] [source] 2023-05-04 19:35:20
>>stevek+c8
Dunno. That’s such a fundamental piece of thinking you just have to come across in the design phase, I don’t know how you would build a beta that didn’t avoid the issue in the first place unless you had a flawed take on security in the first place.
◧◩◪◨⬒
5. stevek+fa[view] [source] 2023-05-04 19:38:47
>>9dev+v9
It is surely easy to cast stones at a single bug, but I don't think that's the right way to look at things.
◧◩◪◨⬒⬓
6. 9dev+md[view] [source] 2023-05-04 19:54:50
>>stevek+fa
I wouldn’t have made my remark if this would just be a bug, though. We’re looking at a bespoke domain ownership verification mechanism that doesn’t handle its primary usecase well, failing at something solved in lots of different ways over the past decades.

I have written atrocious bugs over the years, so I’m definitely not in the stone casting business here. However, I can’t see this as simply a bug, rather than a fundamental design flaw. And if an entity is both becoming infamous for reinventing the wheel, and attempting to fill a sensitive niche, I feel it has somewhat of an obligation to accept criticism such as that.

◧◩◪◨⬒⬓⬔
7. stevek+tg[view] [source] 2023-05-04 20:09:25
>>9dev+md
> We’re looking at a bespoke domain ownership verification mechanism that doesn’t handle its primary usecase well

Okay this is exactly what I mean. How well do you know the AT Protocol? Because this comment seems to indicate you just learned about it from this link, yet you're still making grand claims like this.

This method of validating your identity isn't the primary one. It's not even documented! It was added two weeks ago, as an API endpoint to help serve moderation and administrative needs. Turns out the URL structure of the rest of the API is a bad call for this endpoint.

> and attempting to fill a sensitive niche,

If you want to criticize AT Protocol on privacy issues, there are far more important things that are closer to the fundamental aspect of the design to criticize.

[go to top]