this post was submitted on 19 Jun 2023
13 points (100.0% liked)

Lemmy

12538 readers
5 users here now

Everything about Lemmy; bugs, gripes, praises, and advocacy.

For discussion about the lemmy.ml instance, go to !meta@lemmy.ml.

founded 4 years ago
MODERATORS
 
  1. I create a well crafted post to a normal site that gets 10.000 upvotes.

  2. I change the URL to a malicious site.

  3. ??????

  4. Profit

top 13 comments
sorted by: hot top controversial new old
[–] original_ish_name@latte.isnot.coffee 4 points 1 year ago (1 children)

There's also

  1. I create a well crafted post woth a url to a normal site in the body of my post that gets 10.000 upvotes.

  2. I change the URL to a malicious site.

  3. ??????

  4. Profit

[–] lemann@lemmy.one 1 points 1 year ago

This pretty much - any user can do the same to a link in the body of a post

[–] Sal@mander.xyz 2 points 1 year ago (1 children)

It makes it a little bit easier to do, but it is not difficult to replicate this effect without changing the URL in the title - using a redirected URL and changing the redirect address, for example.

I think that this small increase in the way this kind of attack can be delivered is more than counter-balanced by the convenience of having editable titles.

[–] morrowind@lemmy.ml 1 points 1 year ago (1 children)

Most subreddits also blocked redirect links for (partially) reason.

[–] Sal@mander.xyz 1 points 1 year ago* (last edited 1 year ago) (1 children)

You don't need to use a known redirect link. If the plan begins with a post that obtains 10,000 likes, I am sure the attacker can spend a small amount of effort and register a domain.

[–] deweydecibel@lemmy.world 0 points 1 year ago (1 children)

Surely you don't think that's equivalent to a simple 5 second copy paste of a new URL into the textbox, right?

And it's not just about attack vectors, it's also about stealth ads and misinformation

[–] Cinner@kbin.social 3 points 1 year ago

I'm not sure what you're getting at but he's right, it's incredibly simple to setup a new redirect site.

[–] SheeEttin@lemmy.world 2 points 1 year ago

Yeah, this is why reddit didn't allow it. I don't think Lemmy should either.

[–] Sulfur@kbin.social 1 points 1 year ago

Reminds me of a long time ago when GameSpot and GameFAQs forums merged. GameSpot users had the ability to edit titles so they would have threads like "what's your shoe size?" Then they would change the title to something like "how old are you?" to get the GameFAQs posters banned (due to the minimum age requirements)

[–] ronaldtemp1@lemmy.world 0 points 1 year ago* (last edited 1 year ago) (1 children)

I see what you are doing here. But being able to edit title is so convenient, I couldn't live without it.

Maybe add a heads-up notice saying the URL has been specifically edited after some time has passed since post creation? e.g. Two hours?

Or do something like what Twitter is doing now, letting users add specific context on the title notifying people about what changed, even confirming misinformation?

Or always crosscheck the hyperlink in title or body with an open-source malicious site database and flag all malicious sites once and for all?

[–] DrYes@lemmy.world 1 points 1 year ago* (last edited 1 year ago) (1 children)

I'm not talking about the title but the actual page a post links to. Your idea to mark edited URLs is great, though.

Or always crosscheck the hyperlink in title or body with an open-source malicious site database and flag all malicious sites once and for all?

The internet is in flux. Once and for all is not possible.

[–] ronaldtemp1@lemmy.world 1 points 1 year ago

I see! Thanks for clarifying.

[–] BombOmOm@lemmy.world -3 points 1 year ago* (last edited 1 year ago)

The url and title should both be locked after a post. The contents should be free to change, that way updates and such can be posted if necessary.

Comments can continue to work as-is, there is a similar danger there, but it doesn't matter nearly as much.