mcc,
@mcc@mastodon.social avatar

I have just discovered a tremendous bug in Mastodon.social, which unfortunately I cannot even tell you what it is due to the potential consequences

mcc,
@mcc@mastodon.social avatar

Okay it's fixed now so I guess I can tell you what this was

For about a week there, after introducing the new link preview layout last Sunday, Mastodon.social had no limit on the length of an OpenGraph article title. To test this, I crafted an otherwise blank HTML page whose OpenGraph title was the complete text of the Communist Manifesto. Anytime this page was linked in a mastodon.social timeline, it resulted in a preview with a 6,000 line title. This is how long it took to scroll through:

Video of scrolling through a mastodon.social tab. It is taken up by a picture of Karl Marx followed by a flood of bold text that takes a full minute to scroll through

mhoye,
@mhoye@mastodon.social avatar

@mcc Good find!

mcc,
@mcc@mastodon.social avatar

I made a github bug for this https://github.com/mastodon/mastodon/issues/26176 but I was trying not to call too much attention to it because the exploit was really easy and when I was testing with it the presence of 6,000 line long, un-collapseable posts in the feed went from funny to irritating really quickly

vmstan,

@mcc :chefskiss:

Middaparka,
@Middaparka@mastodon.social avatar

@mcc 😬

andrewt,
@andrewt@mathstodon.xyz avatar

@mcc oh no, thankyou for not publicising this immediately, from everyone who hasn't seen Bee Movie and doesn't want to repeatedly read the ending

mcc,
@mcc@mastodon.social avatar

@andrewt I don't think I want to see Bee Movie

andrewt,
@andrewt@mathstodon.xyz avatar

@mcc not sure I do either, I've literally no idea if it's any good, just that according to all known laws of aviation, there is no way a bee should be able to fly

mcc,
@mcc@mastodon.social avatar

@andrewt My understanding is this is a misconception, and a more accurate statement would be that science was relatively slow to understand the dynamics of bee flight, as it required both accurately modeling bee wings as non-rigid membranes and understanding the behavior of air vortices.

andrewt,
@andrewt@mathstodon.xyz avatar

@mcc are you suggesting i shouldn't take physics advice from animated movies?

mcc,
@mcc@mastodon.social avatar

@andrewt Perhaps

ieure,
@ieure@retro.social avatar

@mcc "To test this, I crafted an otherwise blank HTML page whose OpenGraph title was the complete text of the Communist Manifesto."

Tremendous, this is the stuff I'm here for.

amgine,
@amgine@mstdn.ca avatar

@mcc

I am, vaguely, reminded of the occasional helpful soul in the early 00s popping in to the IRC to report a serious security issue: anyone can edit it.

“It’s a feature.”

mcc,
@mcc@mastodon.social avatar

@amgine it's funny but when you frame it as "spammers can mass bomb hundreds of edits an hour into your wiki and there are no adequate tools for dealing with it" it is less funny and also the reason I shut down my mediawiki instance

amgine,
@amgine@mstdn.ca avatar

@mcc

<nod> Unless you have zillions of volunteers, there’s pretty much no way to have an open wiki. But there are many degrees between wide open and shut down.

E.g.: Mastodon instances. At least as vulnerable to spammers; really moreso as the api are far better.

mcc,
@mcc@mastodon.social avatar

@amgine Frankly I'm shocked the problem has been as limited as it has so far

amgine,
@amgine@mstdn.ca avatar

@mcc me too. Or maybe the cba shows how ineffective spamming is.

mcc,
@mcc@mastodon.social avatar

@amgine I don't think I know what that is

amgine,
@amgine@mstdn.ca avatar

@mcc cost-benefit analysis.

mcc,
@mcc@mastodon.social avatar

@amgine Oh

Hm

So we just have to convince them we're all so prickly and anticapitalist we will never buy a product?

amgine,
@amgine@mstdn.ca avatar

@mcc

Or that we all curate our personal timelines aggressively, creating tiny little echo chambers where we are never challenged by alternative points of view or see drive-by posts?

mcc,
@mcc@mastodon.social avatar

@amgine As long as no one is trying to sell me cryptocurrency, fine

Zerofactorial,
@Zerofactorial@noc.social avatar

@mcc Fermat's Last Bug Report

renchap,
@renchap@oisaur.com avatar

@mcc Could you either send me more info directly, or send it to security@joinmastodon.org?

NoraReed,
@NoraReed@mastodon.social avatar

@mcc oh dear

Claire,
@Claire@sitedethib.com avatar

@mcc uh

gsuberland,
@gsuberland@chaos.social avatar

@mcc on .social's infra specifically, or in the Mastodon software as a whole?

mcc,
@mcc@mastodon.social avatar

@gsuberland I… don't… know. Will DM.

Skeeter_Ray,

I ain't got a hitch, it ain't got a mouth on him that would make a mullet look like a wildfire; it spreads courage, determination, and love for all things DIY.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • Durango
  • DreamBathrooms
  • thenastyranch
  • magazineikmin
  • tacticalgear
  • khanakhh
  • Youngstown
  • mdbf
  • slotface
  • rosin
  • everett
  • ngwrru68w68
  • kavyap
  • InstantRegret
  • JUstTest
  • cubers
  • GTA5RPClips
  • cisconetworking
  • ethstaker
  • osvaldo12
  • modclub
  • normalnudes
  • provamag3
  • tester
  • anitta
  • Leos
  • megavids
  • lostlight
  • All magazines
    •