Bug: Could SN make links safer? \ stacker news ~meta

211 sats \ 18 comments \ @Bitman 17 Jun 2023 meta

This might prevent people posting links into posts. I think Reddit has been doing this for ages.

Would this be possible? Or do people think that this unnecessary as there haven't been any attempted scams?

Here's on link to a site:

www.duckduckgo.com

Here's a malicious link to another site that looks like the first:

www.duckduckgo.com

Although the two links appear to be the same, if the user clicked on the second link, they'd be taken to a site that I've just made up to show the problem (www.thisisascamsite.com)

If you click on the two links you'll see what I mean.

Could SN prevent the obfuscation of links to prevent spam and protect users?

view all related items

25.2k sats \ 9 replies \ @Bitman OP 17 Jun 2023

Maybe I'm wrong. I've got a page not found on the second one. So links are safe @k00b ?

10 sats \ 8 replies \ @ek 17 Jun 2023

No, you are right, this is indeed possible:

www.duckduckgo.com

This is my markdown:

[www.duckduckgo.com](http://www.thisisascamsite.com/)

Not sure what you tried with your markdown.

Good catch. I'll create an issue for that when I woke up.

0 sats \ 0 replies \ @ek 17 Jun 2023

Created a ticket now: https://github.com/stackernews/stacker.news/issues/323

0 sats \ 6 replies \ @Bitman OP 17 Jun 2023

Yay!

10 sats \ 3 replies \ @ek 17 Jun 2023

Also, if you find anything else that someone could abuse, please follow our responsible disclosure policy: https://stacker.news/faq#responsible-disclosure :)

No worries if you didn't know, but now you know ;)

0 sats \ 1 reply \ @Bitman OP 17 Jun 2023

Should I delete the post?

0 sats \ 0 replies \ @ek 17 Jun 2023

Nah it's fine

0 sats \ 0 replies \ @Bitman OP 17 Jun 2023

Sure 👍

0 sats \ 1 reply \ @ek 17 Jun 2023

Does reddit add a redirection warning or do they not allow formatting a link as a markdown link?

100 sats \ 0 replies \ @Bitman OP 17 Jun 2023

I thought the latter. But I'd really ask someone who knows better than me. I just landed lucky on this one!

0 sats \ 0 replies \ @Bitman OP 17 Jun 2023

deleted by author

0 sats \ 0 replies \ @jk_14 17 Jun 2023

I always check the url syntax by hovering mouse on it, before I click on it.

Don't trust. Verify. :))

0 sats \ 0 replies \ @quark 17 Jun 2023

Good observation.

This app might be interesting too. No malicious link. Just a link to the GitHub hehe: URLCheck (Allows analyzing (or sharing) URLs before opening them.) https://github.com/TrianguloY/UrlChecker

0 sats \ 3 replies \ @beorange 17 Jun 2023

Isn't this how the web is meant to work (hypermedia)? And also a normal markdown feature?

I've been using this and it is very helpful to keep the texts clean.

Perhaps a better approach would be a notification after clicking the links, telling the user he is leaving SN and being sent to X (where X is the real place he is being redirected to).

10 sats \ 2 replies \ @ek 17 Jun 2023

Perhaps a better approach would be a notification after clicking the links, telling the user he is leaving SN and being sent to X (where X is the real place he is being redirected to).

Adding a redirection warning for every link would be detrimental to UX, I think. I think the better solution is to prevent formatting links as markdown links. So if something is already a link, you can't use the []() syntax.

I noticed Github is also vulnerable to this.

Created a ticket now: https://github.com/stackernews/stacker.news/issues/323

0 sats \ 1 reply \ @beorange 17 Jun 2023

I'm not sure I would caracterize this as a vulnerability, this is exactly how markdown is supposed to work and the web is supposed to work. I don't see websites being marked as vulnerable because someone includes:

<a href="https://website2.com">https://website1.com</a>

Anyhow, it doesn't hurt to forbid urls in the [] part of [](). I think it is reasonable compromise.

10 sats \ 0 replies \ @ek 17 Jun 2023

I would consider it a vulnerability since it can be abused by attackers.

In your example, as long as the input is trusted, I would also not mark the website as vulnerable. However, if the input is controlled by users and thus not trusted (as is the case here), the website would be vulnerable to phishing attacks.

For example, read more here:

An open redirect vulnerability occurs when an application allows a user to control a redirect or forward to another URL. If the app does not validate untrusted user input, an attacker could supply a URL that redirects an unsuspecting victim from a legitimate domain to an attacker’s phishing site.

-- https://learn.snyk.io/lessons/open-redirect/javascript/

Another example would be if our Markdown engine would not already sanitize the () part, XSS would be possible using this: [https://stacker.news/items/194732](javascript:alert(1))

The () part is fortunately replaced with javascript:void(0):

Github just doesn't apply the formatting in this case.

So I don't think it's a big difference between XSS like this and allowing malicious links to consider something a vulnerability or not.

0 sats \ 0 replies \ @Bitman OP 17 Jun 2023

deleted by author