#Bluesky continues to be entirely non-responsive to the numerous security vulnerabilities I've reported to them, so I spent the evening writing up a nice README and a framework with exploit modules, and just made it all public.
@stux@north
Come on! they will never disclose how many ultra critical priorities BlueSky has, but the full team is working on mitigations around the clock \j
@Andres@north :blobcatgiggle: i certainlly hope not indeed! haha!
It's more about the reply that was not needed in such a way and prompt reponses like mine :ablobwink:
Take mine with a grain of salt but certainly more people will start to think it, if they just had said "working on it" or "added" it was done :blobcatgiggle:
@stux@Andres The dismissive response isn't great, but if they had ever responded to me by saying "we don't think this is important", it would have opened the opportunity to explain the ways it could be abused, that they weren't considering.
What bothers me most is the lack of response. It shuts down any possibility of that explanation and gives the impression that it's your efforts that are what isn't important to them.
As to the question of worse issues existing - I can confidently say yes.
@north the only way that could be true is if there are so few people on bsky or relying on it for info, that the impact of disinfo is negligible. So … maybe?
@jhwgh1968@neilcar I actually inquired whether they had one (they obviously don't) and suggested that they consider it.
The creation of bug bounties has made a huge impact on the amount of abuse that vulns see. If it's worth more for somebody that would have otherwise used/sold a vuln to instead report it, that's an easy win for all parties.
I quoted Neil's comment here to some friends, because they absolutely nailed it, and said it so succinctly.
@north I said this before but they have very few developers, and get pulled between ‘nice to have’ user features, user safety, and security. The whole thing is years away from being ready for the public at any scale. This is another good example of it.
@north This isn't an implied criticism of you, by the way, because it is a clear flaw, and not even a criticism of the developers either, because I think that if they're even halfway professional, then their priority is probably big stuff that we don't know about (which could be quite bad). They just shouldn't have launched yet.
@north
Omfg I found the link card one too and didnt even bother reporting it because they also didn't respond to my raising alarms about abuse potential in their tagging and feed building systems. Total security trainwreck - their federation sandbox actively prohibits redteaming which is fuckin preposterous
@Ulrich_the_Elder@tavi@north apparently jack deleted his bluesky account yesterday -- pretty sure he doesn't care about bluesky anymore and prefers to hang out with the other coinfuckers on nostr
Fun bonus fact: There are two little secrets hiding in plain sight on that screenshot.
There are RTL character shenanigans that cause my name to wrap around my handle.
My handle is literally not valid. It's technically @https.s3.aws.amazon.com (😏), but they changed it in part of the system to @handle.invalid, which makes the site put in that nice ugly "⚠️Invalid Handle" text.
@north olease let me know.if they start #ShootungTheMessenger so others can spare the time and effort to contact them and just sell the code to #Zerodium and other #exploit buyers...
Add comment