WARNING: Phishing Attacks, HTML markup to hide urls, are now in Mastodon.
While Mastodon does not have markup to allow hiding urls, they share API with "friendica" and friendica ALLOW HIDING URLS.
And friendica accounts can post on Mastodon.
I have asked for a solution, none is forthcoming.
Click NO LINKS that come friendica. Be wary of links on Mastodon, as if Mastodon were "email" - without any protections.
Multiple reports of other fediverse branches allow hiding urls. No Clicking links
Mozilla, makers of open source free Firefox, joined Mastodon last week. Mozilla began testing Mastodon security, including how their server responded to attacks and more.
They found 5 major flaws, threats, including the ability to take over a server, control a server, with a post.
With a post. TootRoot.
"Mastodon fixes critical “TootRoot” vulnerability allowing node hijacking"
For 13 million users, #Mastodon NEEDS a security FOCUS.
Demand layers of protection.
Yikes.
In other news I would pay real money for people to stop using the word 'toot' to refer to posts in this place. It's the euphemism my dearly departed mother used to use for farting.
Sure, i dont use paypal though.
Do you mean an image? An image of the resukting site doesnt expand the url. Show the url directly in the post. If a url is hidden, reveal it auromatically in plain text in the post, as the standard, as other software can do. As exampke it would display
"GO HERE" [ abcnews.com/perfectlynormal.html ]
Which is what 'glitch' (app version of mastodon) does?
Shows an image or reveals the hidden url automatically as plain text?
@kevinrns shows the URL for an <a>
Regardless, this isn’t exactly a new addition to the web
Yes phishing (phishing and hidden urls are good search terms) has been around for ages.
Imagine the fun if hashtags are included in the hidden part
Like if this want the hashtage for #climate but was i stead a hidden url. How many slow the click to check if a hashtag is a hidden url.
And now add editing to hidden urls.
Safety is ignored, power conglomerates have been taken down by phishing. School districts, hospitals. I would advise no one to access #Mastodon from a security needing computer. No hospital, school, business or utilities for now
#MastodonSecurity is an afterthought. #meta
the address is @friendica or @something.friendica."some extension"
are you talking about its use of BBCode or Markdown for formatted text in posts? i thought those links came through “raw” (unformatted) in most Mastodon clients — or is this something else? got a link to a writeup or bug report?
Online security is layer after layer after layer of protections.
Clear visible URLs is the most basic of protections.
"What is phishing and how dangerous is it?"
News - By Darren Allan - last updated June 24, 2022 👈
It’s one type of threat that really shouldn’t be underestimated
https://www.techradar.com/news/what-is-phishing-and-how-dangerous-is-it
"Three common types of phishing scams"
https://www.getcybersafe.gc.ca/en/blogs/three-common-types-phishing-scams
https://consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams
"Shortcut LNK Files May Contain Malware"
https://www.opswat.com/blog/shortcut-lnk-files-may-contain-malware
Example of hidden urls posted on mastodon? Just one sec, back searching, didnt bookmark it.
Here it is. Again I have no idea if the hidden url is still there, still the same as it was, about to be edited, or safe.
YMMV
https://mstdn.social/@hankg@friendica.myportal.social/110664223061565419
This post has, what I assume, but do not trust, a perfectly safe url behind the blue html markup.
Now add mastodon editing to hidden urls.
"The first five urls he used, behind the hiding html, were fine, no malware, just porn pop ups," a security researcher might say, "until the sixth and seventh edit, then it was ransomware."
https://mstdn.social/@hankg@friendica.myportal.social/110664223061565419
Anytime I see a link in social media I might want to visit, I copy it then paste it into the Trace URL form at https://wheregoes.com. Then I copy and paste the final link in the trace, sometimes after making some obvious modifications to it, into the browser to visit the link. I usually use Tor browser for this
It's hassle but it really makes me think twice before deciding to visit a link. It has also been a bit eye opening.
Good luck, everyone. Be careful out there!
Online protection is layer after layer of safety measures, as your apparent risk increases, like John, you add layers.
There is NEVER a good reason to hide urls.
If you "trust" a site you might skip a layer, like John uses, if he is on johnswebsite.net or mybrothersblog.com mastodon is tens of thousands of websites run by randos, mostly but not all, lovable randos.
Removing ANY protections from Mastodon is a conspiracy of dumb.
@kevinrns glitch-soc, a mastodon fork also has the ability to do this
I want warnings and protections from these silly security noob lapses. Wtf. Wtaf. That fork of mastodon was written by Putin of course, with help by Bannon, the Chinese and Cambridge Analytica
Hiding urls is entirely and completely a security lapse. Its either a noob failure, or planned breakage.
That is the explanation for the question.
@[email protected] @[email protected] dudebros who think they’re being allies by arguing with fascists and spreading propaganda can get the fuck away from me and stop speaking for me
@kevinrns running akkoma here, i assume pretty much all fediverse software will allow you to post such links though. and yeah, it’s “just as safe as emails”, it’s still just a fancy html editor after all, why would it be safer?
you’re still on the internet, i’d argue you’re still expected to follow basic security advice, like checking the url you’re going to when hovering, checking the url bar before entering any information, and using a context-aware password manager for all your logins that doesn’t autofill when the domain doesn’t match.
this kind of link customisation feature has been available on forums and online boards for decades at this point. some more modern internet discussion platforms seem to have removed it, which i think made some people forget, or just not learn, to use those other, safer, ways of ensuring the url you’re clicking on is what you expect. maybe mastodon should warn users with a pop-uo before opening such links? i don’t know, i’m not a ux designer, you can advocate for it upstream with whichever fediverse software you’re using if you want it tho, fedi is all about havibg options, after all
Did I answer this? The freedom to hide urls reminds me of the right to racist propaganda.
Let me phish! For freedom.
@kevinrns well, this is the web, you are free to use extensions on your webbrowser that change that behaviour if you don’t like it. it seems far from the same as propaganda to me
if you’re just looking for excuses to be angry at something, i see no point in arguing further. if you really want change, i suggest advocating for it on the mastodon and other fediverse-compatible social network’s issue trackers
keep in mind though that this is an ability websites have had since the world wide web was invented at cern, and this is the first time i’ve heard it being compared to propaganda
Just a sloppy mess. Like email.
Thanks, All hidden urls must be automatically revealed. Relying on your device to tell the difference between a long press, when remembered, and a click that loads the malware, is like saying "Rattlers in you hallway? ust grab 'em behind the ears.
Its not security.
Dont click any links in Mastodon, the urls are behind markup to hide the actual destination.
Dont Click On Mastodon Ever.
Mastodon needs to reveal full links in plain text when they are hidden.
Mastodon must automatically reveal hidden urls, in plain text, beside the hidden url.
as is security sensible, as is done elsewhere.
Mastodon is 13 mikllion randios, on ten thousan rando servers. No idea who any are, its email squared.
Do not click links on mastodon, like you dont click links in email
Mozilla, after joining Mastodon, because they love free, freedom and free people controlling their lives, took a moment to seriously test Mastodon, and found five critical threats, including the ability to root a Mastodon server with a post, a toot.
Automatically revealing actual urls, beside links under markup, is a basic layer of protection.
I hope Mozilla has more tests, more suggestions and joins in helping make #Mastodon security focused.
Francisco S.
Kevin Russell
Robert Logger 🇳🇱
su-sten-able
Luk
digital luciferase
@energiepirat
Andrew
Yingtai
Alex Chaffee
Conny Duck
dana 
Toot!.app ↙︎↙︎↙︎
Shimriez
fuomag9
john r red-horse
Ember is so tired of people. 
MOVING > https://cooltrans.men/SympathyTea
Essem 
Kuru.len("Autumn Leaf")
yuki - queen of the snow
Elaine (they/she) 💜🏳️⚧️🏳️🌈
moved to @
Andrew Briscoe
Mark Andrew
MostlyTato
otheorange_tag