We know about these. We have mitigations planned. We don’t think they’re cause for huge alarm.
Bluesky posts have a rich text system, which means links in posts are similar to anchor tags. It’s not a markup; it’s a way to annotate slices of a string with facets such as links or bold or etc. This means you can linkify any text, thus the first concern raised. We intend to create an interstitial warning if the linkified text doesn’t show the domain clearly.
The posts also have an embed system for images, links, and other posts. We currently naively accept the link cards as published, and we need to stop doing that and fetch the link cards on read instead.
As someone who's been following development and the situation in general, I just thought I'd pop in to say "I second this" - which normally wouldn't be a very useful reply, but I think people are (rightfully) skeptical of first-party claims when it comes to the significance of security issues.
I think it's better to just not allow custom text for links. It's the behavior people are accustomed to from years of using various social media platforms.
Maybe not the vulns. But the interaction with a security researcher. Like this part: "Bluesky has responded to only one of these reports, one time, 4 days after submission, saying "We appreciate the report, and we'll be taking a closer look at the issue.". They did not follow up on that report and they have not responded to any of my other reports."
It shows all signs of a company without a working security process.
If a website accepts (safely sanitized) HTML input, and I report that it's a security issue that I'm allowed to post:
<a href="https://evil.com/">good.com</a>
, how much of a response am I owed?
"Yes, thank you, we're aware" seems more than adequate to me. Engaging a full-blown vulnerability disclosure process for something like this seems like a waste of time for everyone involved.
I'm one of the engineers at Bluesky that handles incoming security reports. We of course do take reported security issues very seriously. We have worked positively with a number of researchers.
The initial email in this case was received on a Friday afternoon, reviewed briefly for severity, and then acknowledged on the following Tuesday. There was a reply from another engineer on Wednesday to a reply by the reporter.
But we certainly could have followed-up better, and we could have been more clear. We're a very small team and the severity was deemed low, but even so we'll try to do better in the future for similar cases.
We do want to handle these kinds of reports better than most companies do. Creating a safe and secure system for users (which include our own families and friends) is something the team very genuinely cares deeply about.
I'm the reporter of these (and other) issues and the author of the vuln repository this article links to.
While I appreciate your response, the accuracy of the timeline your provided (Wednesday's email was about documentation), and your comment that "[w]e do want to handle these kinds of reports better", I can't help but point out that even today, Bluesky still hasn't reached out to me about the specifics of these (and other...) vulnerabilities. Bryan Newbold did email me a week after this disclosure to answer a few questions, but it didn't address the vulnerabilities at all; I like Bryan -- the few discussions we've had have been positive -- but he isn't the person that should have emailed me.
Sidenode, https://bsky.app/profile/jacob.gold/post/3k7frqmvhft2b sure did seem personal. The timing suggests that it was made solely to mock the situation. (To be clear, I like and respect @retr0.id a lot; I've bounced some of my ideas off of him and he's the "second security researcher" I referred to in the vuln respository.)
This whole thing has put an extremely bad taste in my mouth.
And if they drop by, they could also address the poor handling of security reports as described in the fine article. Because if the only way to get a reply about security issues is to get it to the front page of HN, that's a sign to me that the security team, if there is one, is deeply underwater.
Bluesky posts have a rich text system, which means links in posts are similar to anchor tags. It’s not a markup; it’s a way to annotate slices of a string with facets such as links or bold or etc. This means you can linkify any text, thus the first concern raised. We intend to create an interstitial warning if the linkified text doesn’t show the domain clearly.
The posts also have an embed system for images, links, and other posts. We currently naively accept the link cards as published, and we need to stop doing that and fetch the link cards on read instead.