hexbear

10261 readers

2 users here now

Now that the old Hexbear fork has been officially abandoned, this community will be used as a space for meta-discussion on the site itself.

founded 4 years ago

MODERATORS

[email protected]

I miss how before federation we could see/read images in posts without selecting them, and not having half of the selected images automatically take you off-site (hexbear.net)

submitted 1 year ago by [email protected] to c/[email protected]

14 comments fedilink hide all child comments

Like we used to have embedded Youtube videos, etc.

Any chance we can go back to that format? Is that possible post federation? Being taken off site all the time kind of sucks, (especially if you're like me and you get logged out every time.)

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 12 points 1 year ago (1 children)

Those embeds were a massive security concern, imo. If we could do invidious embeds of YouTube, that'd probably be better as far as privacy goes, but loading up random PDFs are rarely a good idea.

[–] [email protected] 4 points 1 year ago (1 children)

Can you explain to somebody who is an idiot what the security concern is?

[–] [email protected] 6 points 1 year ago (1 children)

I'll do you one better. Here's an actual thread we had about PDFs causing Hexbear (chacha) popups and me going into ways I've exploited similar systems.

[–] [email protected] 3 points 1 year ago (1 children)

The link gives me a server error?

[–] [email protected] 1 points 1 year ago (1 children)

The link in the comment you just replied to, or the post link? The post link has been deleted, but that's the convo we had around it. You can try refreshing for the convo, it works for me.

[–] [email protected] 2 points 1 year ago (1 children)

I also get a server error, refresh does nothing.

[–] [email protected] 1 points 1 year ago (1 children)

What's the error?

[–] [email protected] 2 points 1 year ago (1 children)

It's literally just a white page that says "Server error"

[–] [email protected] 1 points 1 year ago (1 children)

Don't click on the deleted post, read the comments.

[–] [email protected] 3 points 1 year ago (1 children)

All I'm clicking on is your link (https://hexbear.net/comment/568900) and I get the server error.

[–] [email protected] 6 points 1 year ago (1 children)

Oooooh, I wonder if it's only letting me see it because I have a comment in the deleted post.

TLDR there was a pdf hosting site that was causing shady popups on hexbear

Here's the important bit.

So while we're on the topic, while it's totally normal for a rando site that isn't worried about its users being doxxed to lint opengraph tags and slap things like offsite images and iframes of youtube videos within the site's page, it is a serious security hole for your users. If some chud group wanted to come along and grab as many IPs that they could of our userbase all they've gotta do is figure out what chacha is willing to let through remotely and host that sort of content from their own site. Years back I used to do something similar on an old blog where I hosted an image on my own site that was actually a php script logging IPs of everyone that loaded it and then I'd just slap the img url into the comments of the blog. Over time that attack evolved into me figuring out how to slip javascript in place of the image and grabbed everyone's cookies, letting me log in as whomever I wanted. Loading remote iframes (like for youtube videos) is just the sort of hole I'd be looking for if I wanted to do it again. Just fyi to anyone interested.

[–] [email protected] 2 points 1 year ago (1 children)

Thank you. That's some good posting right there.

[–] [email protected] 1 points 1 year ago

Welcome. stalin-approval