1. I create a well crafted post to a normal site that gets 10.000 upvotes.

  2. I change the URL to a malicious site.

  3. ???

  4. Profit

  • Sulfur@kbin.social
    link
    fedilink
    arrow-up
    1
    ·
    1 year ago

    Reminds me of a long time ago when GameSpot and GameFAQs forums merged. GameSpot users had the ability to edit titles so they would have threads like “what’s your shoe size?” Then they would change the title to something like “how old are you?” to get the GameFAQs posters banned (due to the minimum age requirements)

  • Salamander@mander.xyz
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    It makes it a little bit easier to do, but it is not difficult to replicate this effect without changing the URL in the title - using a redirected URL and changing the redirect address, for example.

    I think that this small increase in the way this kind of attack can be delivered is more than counter-balanced by the convenience of having editable titles.

    • CoderKat@kbin.social
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      Titles being editable is really useful. So many posts have misleading titles, causing posts to have to either get removed or flaired (I don’t think we have an equivalent of flairing yet).

      Plus, unless we’re prohibiting editing the body or even comments within posts, it has similar risks to editing the title or URL. Though the post URL is the one most likely to get clicked and thus is the highest risk.

      It is something tooling could help detect. Moderator tools could detect posts changing the URL and flag the post for review. The general idea of spam filters apply well here. Spam filters aren’t just for completely preventing spam, but also for flagging potential spam. We could train spam filters on diffs of comments so that they can recognize when posts seemed to have completely changed in a way that we’d classify as spam.

  • ronaldtemp1@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    1 year ago

    I see what you are doing here. But being able to edit title is so convenient, I couldn’t live without it.

    Maybe add a heads-up notice saying the URL has been specifically edited after some time has passed since post creation? e.g. Two hours?

    Or do something like what Twitter is doing now, letting users add specific context on the title notifying people about what changed, even confirming misinformation?

    Or always crosscheck the hyperlink in title or body with an open-source malicious site database and flag all malicious sites once and for all?

    • DrYes@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      1 year ago

      I’m not talking about the title but the actual page a post links to. Your idea to mark edited URLs is great, though.

      Or always crosscheck the hyperlink in title or body with an open-source malicious site database and flag all malicious sites once and for all?

      The internet is in flux. Once and for all is not possible.