I noticed a #vulnerability with the way #Mastodon displays link previews earlier that I haven't gotten around to reporting on the GitHub.
There was a spammer using a link with a preview that was basically a screenshot of an image behind a CW, making it look like there was an image to unhide, but when you tried to click it, it would send you to the website they had linked. I also saw a variant with a fake video preview.
It is very hard to tell the difference between this fake image and a real one, and I think that needs to be changed, perhaps with something perhaps with something that makes it clearer that you are looking at a link preview, and will be taken to a website if you click it.
Raccoon :verified: /
npub1un…0rk4d
2025-02-18 06:18:07
Author Public Key
npub1un0kydl26zuvass7km3m8d5nj78yjftlnvl2c5jvnzhaszfsnk2qg0rk4dPublished at
2025-02-18 06:18:07Event JSON
{
"id": "50b4b0627236f5d58e710fcf4b8aa0813d90b1adcd3f11d4c91507b510129403",
"pubkey": "e4df6237ead0b8cec21eb6e3b3b693978e49257f9b3eac524c98afd809309d94",
"created_at": 1739859487,
"kind": 1,
"tags": [
[
"t",
"vulnerability"
],
[
"t",
"Mastodon"
],
[
"proxy",
"https://techhub.social/users/Raccoon/statuses/114023431350855488",
"activitypub"
]
],
"content": "I noticed a #vulnerability with the way #Mastodon displays link previews earlier that I haven't gotten around to reporting on the GitHub.\n\nThere was a spammer using a link with a preview that was basically a screenshot of an image behind a CW, making it look like there was an image to unhide, but when you tried to click it, it would send you to the website they had linked. I also saw a variant with a fake video preview.\n\nIt is very hard to tell the difference between this fake image and a real one, and I think that needs to be changed, perhaps with something perhaps with something that makes it clearer that you are looking at a link preview, and will be taken to a website if you click it.",
"sig": "fa998ceee0871994050fd97600d0ffe8c47194683bb9aae1aa303148040d8ce772de2893e47093464076e05fe0a0f7f2302463b53c48f487c9f23da2086e5687"
}