We know about these. We have mitigations planned. We don’t think they’re cause for huge alarm.
Bluesky posts have a rich text system, which means links in posts are similar to anchor tags. It’s not a markup; it’s a way to annotate slices of a string with facets such as links or bold or etc. This means you can linkify any text, thus the first concern raised. We intend to create an interstitial warning if the linkified text doesn’t show the domain clearly.
The posts also have an embed system for images, links, and other posts. We currently naively accept the link cards as published, and we need to stop doing that and fetch the link cards on read instead.
As someone who's been following development and the situation in general, I just thought I'd pop in to say "I second this" - which normally wouldn't be a very useful reply, but I think people are (rightfully) skeptical of first-party claims when it comes to the significance of security issues.
I think it's better to just not allow custom text for links. It's the behavior people are accustomed to from years of using various social media platforms.
Maybe not the vulns. But the interaction with a security researcher. Like this part: "Bluesky has responded to only one of these reports, one time, 4 days after submission, saying "We appreciate the report, and we'll be taking a closer look at the issue.". They did not follow up on that report and they have not responded to any of my other reports."
It shows all signs of a company without a working security process.
If a website accepts (safely sanitized) HTML input, and I report that it's a security issue that I'm allowed to post:
<a href="https://evil.com/">good.com</a>
, how much of a response am I owed?
"Yes, thank you, we're aware" seems more than adequate to me. Engaging a full-blown vulnerability disclosure process for something like this seems like a waste of time for everyone involved.
I'm one of the engineers at Bluesky that handles incoming security reports. We of course do take reported security issues very seriously. We have worked positively with a number of researchers.
The initial email in this case was received on a Friday afternoon, reviewed briefly for severity, and then acknowledged on the following Tuesday. There was a reply from another engineer on Wednesday to a reply by the reporter.
But we certainly could have followed-up better, and we could have been more clear. We're a very small team and the severity was deemed low, but even so we'll try to do better in the future for similar cases.
We do want to handle these kinds of reports better than most companies do. Creating a safe and secure system for users (which include our own families and friends) is something the team very genuinely cares deeply about.
I'm the reporter of these (and other) issues and the author of the vuln repository this article links to.
While I appreciate your response, the accuracy of the timeline your provided (Wednesday's email was about documentation), and your comment that "[w]e do want to handle these kinds of reports better", I can't help but point out that even today, Bluesky still hasn't reached out to me about the specifics of these (and other...) vulnerabilities. Bryan Newbold did email me a week after this disclosure to answer a few questions, but it didn't address the vulnerabilities at all; I like Bryan -- the few discussions we've had have been positive -- but he isn't the person that should have emailed me.
Sidenode, https://bsky.app/profile/jacob.gold/post/3k7frqmvhft2b sure did seem personal. The timing suggests that it was made solely to mock the situation. (To be clear, I like and respect @retr0.id a lot; I've bounced some of my ideas off of him and he's the "second security researcher" I referred to in the vuln respository.)
This whole thing has put an extremely bad taste in my mouth.
And if they drop by, they could also address the poor handling of security reports as described in the fine article. Because if the only way to get a reply about security issues is to get it to the front page of HN, that's a sign to me that the security team, if there is one, is deeply underwater.
Please take into account that Bluesky is still young and run by a small team which is moving fast. Ignoring a few reports that they consider non-critical is not a strong negative signal, especially not during a time of rapid growth and while they're in beta and invite-only. They just cracked the million users and are probably navigating through a lot of chaos on a daily basis. Those of us who've been in similar situations know that this is normal.
There doesn't seem to be any response to this from the Blue Sky team so far.
I can't help but think that Jack doesn't believe in Blue Sky that much. From what I can find, he doesn't seem to participate or even have an account. Meanwhile, at least Elon and Mark both post regularly on their social media sites.
He's been very vocal about disliking the average bluesky user. IIRC he's said they aren't accepting enough, there's more details somewehere on his nostr account.
I can’t be the only one who finds a lot of these new federated social networks to be a bit fishy… the whole idea is really great but bluesky & now metas “threads” are really only pseudo-federated. They both claim the future option to choose your instance but by default you start out on their centralized instance. This feels like a predatory tactic to be able to control the average user who doesn’t care about the value of decentralized networks.
these are pretty boring. we've been playing with them for months now. there was no response because people have beat the hell out of this particular horse already
if you consider it an exploit you should probably consider, say, github issues markdown to be exploitable
the tl;dr is the server shouldn't trust the client and the client shouldn't trust the server to supply accurate link cards or link metadata.
right now it's not a huge deal because there's only one instance and it is invite-only. consider it demo grade software.
We used to retain post history, but that’s been removed with repo v3. We prioritized taking media down ages ago. If anything like that is still happening, it’d be CDN cache and I’d have to pester the backend team to make sure it’s being cleared in delete reliably
Is video happening soon? As someone mostly going viral 8n twitter with videoes, it's the one thing missing from completing my move. Still use bsky a lot to discuss, but to share my videoes embedded in Twitter gives much more traction than a YT link on bsky.
Most of the people in Norway I followed on Twitter did a mass exodus over there a month ago, and it seems to have gained critical mass in my circle, at least.
With Mastodon only a few people tried, and when it didn't get much traction they stopped posting there quickly.
You've made your point; you don't need to keep posting the same thing. If the whole point of Bluesky is to be decentralized, should they have first released a centralized beta version? IMO no, but they had reasons that make sense. It looks like they are still planning to decentralize in good faith.
just throwing out there that ActivityPub has been given Recommendation status at the W3C (what is a recommendation? https://www.w3.org/standards/)
ATProto is a NIH reinvention of the wheel by a "public benefit LLC" of unclear ownership* that has demonstrated time and again its unwillingness to take a seat at the table within a group like the W3C or the IETF in protocol development.
"Public benefit" is simply a marketing term when applied to a private for-profit corporation. It operates like any other company, with an extra line in its mission statement that it will operate for the public good. What does that mean? Nothing. Who enforces it? No one.
I am not on a first name basis with the people involved. If they're already involved in IETF processes I am sure they're familiar with the Independent Submission process for the RFC Editor (RFC 4846)
ActivityPub is fine as long as you're okay with a specific server owning your account and all your data. Many people just want that not to be the case.
Bluesky posts have a rich text system, which means links in posts are similar to anchor tags. It’s not a markup; it’s a way to annotate slices of a string with facets such as links or bold or etc. This means you can linkify any text, thus the first concern raised. We intend to create an interstitial warning if the linkified text doesn’t show the domain clearly.
The posts also have an embed system for images, links, and other posts. We currently naively accept the link cards as published, and we need to stop doing that and fetch the link cards on read instead.