this post was submitted on 05 May 2024
49 points (67.9% liked)

Fediverse

28625 readers
156 users here now

A community to talk about the Fediverse and all it's related services using ActivityPub (Mastodon, Lemmy, KBin, etc).

If you wanted to get help with moderating your own community then head over to [email protected]!

Rules

Learn more at these websites: Join The Fediverse Wiki, Fediverse.info, Wikipedia Page, The Federation Info (Stats), FediDB (Stats), Sub Rehab (Reddit Migration), Search Lemmy

founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 20 points 7 months ago (3 children)

Direct link to article:

https://news.itsfoss.com/mastodon-link-problem/

TL;DR:

When you share a link on Mastodon, a link preview is generated for it, right?

With Mastodon being a federated platform (a part of the Fediverse), the request to generate a link preview is not generated by just one Mastodon instance. There are many instances connected to it who also initiate requests for the content almost immediately.

And, this "fediverse effect" increases the load on the website's server in a big way.

Does Lemmy not cause this issue? Other federated software was not mentioned in the article at all.

[–] [email protected] 7 points 7 months ago (2 children)

So the preview should be federated as well?

How many requests are we actually talking about here, though? Is that better or worse than everyone clicking the link?

[–] [email protected] 9 points 7 months ago (2 children)

There's some problem with a federated previews: tricking one instance into generating the wrong preview would spread to every instance. It's been exploited for malware and scam campaigns in message apps.

[–] poplargrove 3 points 7 months ago

Here's a related, interesting example for BlueSky, on generating disguised links and preview cards (with content the url doesn't actually contain) for anyone curious: https://github.com/qwell/bsky-exploits

[–] [email protected] 2 points 7 months ago (1 children)

What is the threat model here?

[–] [email protected] 4 points 7 months ago* (last edited 7 months ago) (1 children)

Masquerading a normal looking link for another one, usually phishing, malware, clones loaded with ads.

Like, lets say I post something like

https://www.google.com

And also have my instance intercept it to provide Google's embed preview image, and it federates that with other instances.

Now, for everyone it would look like a Google link, but you get Microsoft Google instead.

I could also actually post a genuine Google link but make the preview go somewhere else completely, so people may see the link goes where they expect even when putting the mouse over it, but then they end up clicking the preview for whatever reason. Bam, wrong site. Could also be a YouTube link and embed but the embed shows a completely different preview image, you click on it and get some gore or porn instead. Fake headlines, whatever way you can think of to abuse this, using the cyrillic alphabet, whatever.

People trust those previews in a way, so if you post a shortened link but it previews like a news article you want to go to, you might click the image or headline but end up on a phony clone of the site loaded with malware. Currently, if you trust your instance you can actually trust the embed because it's generated by your instance.

On iMessage, it used that the sender would send the embed metadata, so it was used for a zero click exploit by sending an embed of a real site but with an attachment that exploited the codec it would be rendered with.

[–] [email protected] 1 points 7 months ago

Couldn't a malicious ActivityPub server do similar things now?

[–] [email protected] 6 points 7 months ago

2 requests per instance - one for the HTML of the page and another for a preview image.

[–] [email protected] 6 points 7 months ago

Lemmy (and Kbin for that matter) very much do the same thing for posts. I don't think they fetch URL previews for links in comments, but that doesn't matter: posts and comments are both fairly likely to end up spreading to Mastodon/etc anyway, so even comments will trigger this cascade.

Direct example: If you go to mastodon.social, stick @[email protected] in the search box at the topleft and click for the profile, you can end up browsing a large Mastodon server's view of this community, and your very link has a preview. (Unfortunately, links to federated communities just result in a redirect, so you have to navigate through Mastodon's UI.)

[–] [email protected] 2 points 7 months ago* (last edited 7 months ago)

They say it's fediversal in the comments on Mastodon.