zlacker

[return to "So this guy is now S3. All of S3"]
1. Cianti+u2[view] [source] 2023-05-04 19:04:23
>>aendru+(OP)
Solution is also on the works like use /.well-known/, so this is more like funny, rather than a big problem.

Key to trick was to have bucket named "xrpc" and store a file there: https://s3.amazonaws.com/xrpc/com.atproto.identity.resolveHa...

There is also another funny thing in the image, the user posting about is sending one from "retr0-id.translate.goog", which is odd. Somehow he has got https://retr0-id.translate.goog/xrpc/com.atproto.identity.re... to redirect to his page, and gotten that handle as well.

◧◩
2. chrism+F7[view] [source] 2023-05-04 19:27:14
>>Cianti+u2
Eh, it’s worse than just funny; it’s concerning, because they should have known about and easily avoided this kind of vulnerability, it’s standard stuff you have to think about. So what else have they missed?
◧◩◪
3. stevek+c8[view] [source] 2023-05-04 19:30:09
>>chrism+F7
This is a private beta. Nobody is suggesting that any of this be used for anything serious just yet. Development happens out in the open, you can go find out what else they've missed by doing the work, or by waiting until others you trust have done so.

I myself have had an account for like a month now, but only started really using it a week ago, because that calculus changed for me, personally.

Like, it's not even possible to truly delete posts at the moment. This all needs to be treated as a playground until things mature.

This isn't even the first "scandal" related to this feature already!!!! There is another hole in what currently exists that allowed someone to temporarily impersonate a Japanese magazine a few weeks back.

◧◩◪◨
4. 9dev+v9[view] [source] 2023-05-04 19:35:20
>>stevek+c8
Dunno. That’s such a fundamental piece of thinking you just have to come across in the design phase, I don’t know how you would build a beta that didn’t avoid the issue in the first place unless you had a flawed take on security in the first place.
◧◩◪◨⬒
5. stevek+fa[view] [source] 2023-05-04 19:38:47
>>9dev+v9
It is surely easy to cast stones at a single bug, but I don't think that's the right way to look at things.
◧◩◪◨⬒⬓
6. bisby+Ci[view] [source] 2023-05-04 20:20:07
>>stevek+fa
"We'll build our own validation instead of using one of the existing standards that make perfect sense." is not just "a single bug". It's a flaw in architecture.

A PR of "Change external domain validation to use .well-known (or DNS01, etc)" is not a "bugfix"

◧◩◪◨⬒⬓⬔
7. mtae+Hk[view] [source] 2023-05-04 20:31:09
>>bisby+Ci
okay so clearly you don't know what you're talking about because they do use existing standards/DNS as the primary way to validate domain ownership. It's free to not say anything and read the comments first before going off about something!
◧◩◪◨⬒⬓⬔⧯
8. i_am_j+Hp[view] [source] 2023-05-04 20:57:00
>>mtae+Hk
>okay so clearly you don't know what you're talking about because they do use existing standards/DNS as the primary way to validate domain ownership.

I'm not going to speak for the commenter you're replying to, but I don't think anyone here is talking about the standards-compliant, DNS-based domain verification system. I think we're all talking about the non-standards-compliant, /xrpc/-path verification.

[go to top]