1. I create a well crafted post to a normal site that gets 10.000 upvotes.

  2. I change the URL to a malicious site.

  3. ???

  4. Profit

  • gun/linux@latte.isnot.coffee
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    There’s also

    1. I create a well crafted post woth a url to a normal site in the body of my post that gets 10.000 upvotes.

    2. I change the URL to a malicious site.

    3. ???

    4. Profit

  • Salamander@mander.xyz
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    It makes it a little bit easier to do, but it is not difficult to replicate this effect without changing the URL in the title - using a redirected URL and changing the redirect address, for example.

    I think that this small increase in the way this kind of attack can be delivered is more than counter-balanced by the convenience of having editable titles.

      • Salamander@mander.xyz
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        1 year ago

        You don’t need to use a known redirect link. If the plan begins with a post that obtains 10,000 likes, I am sure the attacker can spend a small amount of effort and register a domain.

        • deweydecibel@lemmy.world
          link
          fedilink
          English
          arrow-up
          0
          ·
          1 year ago

          Surely you don’t think that’s equivalent to a simple 5 second copy paste of a new URL into the textbox, right?

          And it’s not just about attack vectors, it’s also about stealth ads and misinformation

          • Cinner@kbin.social
            link
            fedilink
            arrow-up
            1
            ·
            1 year ago

            I’m not sure what you’re getting at but he’s right, it’s incredibly simple to setup a new redirect site.

  • BombOmOm@lemmy.world
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    5
    ·
    edit-2
    1 year ago

    The url and title should both be locked after a post. The contents should be free to change, that way updates and such can be posted if necessary.

    Comments can continue to work as-is, there is a similar danger there, but it doesn’t matter nearly as much.

    • CoderKat@kbin.social
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      Titles being editable is really useful. So many posts have misleading titles, causing posts to have to either get removed or flaired (I don’t think we have an equivalent of flairing yet).

      Plus, unless we’re prohibiting editing the body or even comments within posts, it has similar risks to editing the title or URL. Though the post URL is the one most likely to get clicked and thus is the highest risk.

      It is something tooling could help detect. Moderator tools could detect posts changing the URL and flag the post for review. The general idea of spam filters apply well here. Spam filters aren’t just for completely preventing spam, but also for flagging potential spam. We could train spam filters on diffs of comments so that they can recognize when posts seemed to have completely changed in a way that we’d classify as spam.