-
I create a well crafted post to a normal site that gets 10.000 upvotes.
-
I change the URL to a malicious site.
-
???
-
Profit
There’s also
-
I create a well crafted post woth a url to a normal site in the body of my post that gets 10.000 upvotes.
-
I change the URL to a malicious site.
-
???
-
Profit
Yeah, this is why reddit didn’t allow it. I don’t think Lemmy should either.
Reminds me of a long time ago when GameSpot and GameFAQs forums merged. GameSpot users had the ability to edit titles so they would have threads like “what’s your shoe size?” Then they would change the title to something like “how old are you?” to get the GameFAQs posters banned (due to the minimum age requirements)
One down vote?? Why lol
It makes it a little bit easier to do, but it is not difficult to replicate this effect without changing the URL in the title - using a redirected URL and changing the redirect address, for example.
I think that this small increase in the way this kind of attack can be delivered is more than counter-balanced by the convenience of having editable titles.
You don’t need to use a known redirect link. If the plan begins with a post that obtains 10,000 likes, I am sure the attacker can spend a small amount of effort and register a domain.
Surely you don’t think that’s equivalent to a simple 5 second copy paste of a new URL into the textbox, right?
And it’s not just about attack vectors, it’s also about stealth ads and misinformation
