1. I create a well crafted post to a normal site that gets 10.000 upvotes.

  2. I change the URL to a malicious site.

  3. ???

  4. Profit

  • @SheeEttin
    link
    English
    421 year ago

    Yeah, this is why reddit didn’t allow it. I don’t think Lemmy should either.

  • BombOmOm
    link
    English
    25
    edit-2
    1 year ago

    The url and title should both be locked after a post. The contents should be free to change, that way updates and such can be posted if necessary.

    Comments can continue to work as-is, there is a similar danger there, but it doesn’t matter nearly as much.

    • deweydecibel
      link
      English
      28
      edit-2
      1 year ago

      Title should be editable for at least a few minutes after a post, up to maybe an hour at most. Anything after that, it becomes a method of slipping shit past the community by masking it as something else, or changing it down the road to fuck with search engines.

      Also, it increases the amount of work mods have to do by not only monitoring new submissions but having to continuously monitor old ones for edits.

      At the very least, edits to the title should not overwrite the original after a short grace period but instead be considered “alternative” or “additional”. You can add onto it (i.e. Update: Cat has received scritches), but you can’t alter the original.

      I know we all hate Reddit for obvious and understandable reasons, but not everything it did was stupid. This is one of those things where the restriction was to both protect users and prevent abuse, not just because Reddit is mean and doesn’t like users.

      • @joyjoy
        link
        English
        41 year ago

        Moderators should be able to edit post titles. Something configurable per community.

      • @T156
        link
        English
        11 year ago

        Maybe have it be something that can be set per instance/community, and/or up to operators/moderators, like how downvotes are currently configured?

        That way, mods that don’t mind it can allow it, and ones that don’t want it can remove it.

        Although some way to be able to check and revert changes would probably also be handy, just in case of a malicious/accidental edit, whether due to a malicious user/operator/moderator, a bot going rogue, etc.

    • @MarsAgainstVenus
      link
      English
      101 year ago

      Maybe have a 5-minute window to allow for typo corrections and such. Otherwise, yeah. This could become dangerous.

    • @T156
      link
      English
      51 year ago

      Maybe something like a 5-minute update window? That way, you can fix issues with it, before it’s locked for good.

    • CoderKat
      link
      fedilink
      3
      edit-2
      1 year ago

      Titles being editable is really useful. So many posts have misleading titles, causing posts to have to either get removed or flaired (I don’t think we have an equivalent of flairing yet).

      Plus, unless we’re prohibiting editing the body or even comments within posts, it has similar risks to editing the title or URL. Though the post URL is the one most likely to get clicked and thus is the highest risk.

      It is something tooling could help detect. Moderator tools could detect posts changing the URL and flag the post for review. The general idea of spam filters apply well here. Spam filters aren’t just for completely preventing spam, but also for flagging potential spam. We could train spam filters on diffs of comments so that they can recognize when posts seemed to have completely changed in a way that we’d classify as spam.

      • @T156
        link
        11 year ago

        But at the same time, letting the title be edited can also cause problems later on, especially if it’s something that can be used to feign support, or something along those lines, on something a bit more malicious.

  • Salamander
    link
    fedilink
    English
    91 year ago

    It makes it a little bit easier to do, but it is not difficult to replicate this effect without changing the URL in the title - using a redirected URL and changing the redirect address, for example.

    I think that this small increase in the way this kind of attack can be delivered is more than counter-balanced by the convenience of having editable titles.

      • Salamander
        link
        fedilink
        English
        4
        edit-2
        1 year ago

        You don’t need to use a known redirect link. If the plan begins with a post that obtains 10,000 likes, I am sure the attacker can spend a small amount of effort and register a domain.

        • deweydecibel
          link
          English
          21 year ago

          Surely you don’t think that’s equivalent to a simple 5 second copy paste of a new URL into the textbox, right?

          And it’s not just about attack vectors, it’s also about stealth ads and misinformation

          • Cinner
            link
            fedilink
            41 year ago

            I’m not sure what you’re getting at but he’s right, it’s incredibly simple to setup a new redirect site.

        • @T156
          link
          English
          11 year ago

          However, that also takes money, and effort, which is a reasonable barrier to entry. That was possible on Reddit before, but that it didn’t take would suggest that it was more effort compared to the standard repost bot and all of that.

          Subreddits can also curb things by filtering out unknown sources/domains, or unreliable ones.

          Editing an existing post is a bit less effort, by comparison.

  • Sulfur
    link
    fedilink
    61 year ago

    Reminds me of a long time ago when GameSpot and GameFAQs forums merged. GameSpot users had the ability to edit titles so they would have threads like “what’s your shoe size?” Then they would change the title to something like “how old are you?” to get the GameFAQs posters banned (due to the minimum age requirements)

  • gun/linux
    link
    fedilink
    English
    61 year ago

    There’s also

    1. I create a well crafted post woth a url to a normal site in the body of my post that gets 10.000 upvotes.

    2. I change the URL to a malicious site.

    3. ???

    4. Profit

      • @[email protected]
        link
        fedilink
        English
        11 year ago

        Yeah, I had exact same thoughts lol, check my other comment with my thoughts and let me know what you think. Maybe I missed something.

  • @ronaldtemp1
    link
    English
    6
    edit-2
    1 year ago

    I see what you are doing here. But being able to edit title is so convenient, I couldn’t live without it.

    Maybe add a heads-up notice saying the URL has been specifically edited after some time has passed since post creation? e.g. Two hours?

    Or do something like what Twitter is doing now, letting users add specific context on the title notifying people about what changed, even confirming misinformation?

    Or always crosscheck the hyperlink in title or body with an open-source malicious site database and flag all malicious sites once and for all?

    • @DrYesOP
      link
      English
      5
      edit-2
      1 year ago

      I’m not talking about the title but the actual page a post links to. Your idea to mark edited URLs is great, though.

      Or always crosscheck the hyperlink in title or body with an open-source malicious site database and flag all malicious sites once and for all?

      The internet is in flux. Once and for all is not possible.

    • @DrYesOP
      link
      English
      11 year ago

      deleted by creator

  • @[email protected]
    link
    fedilink
    English
    6
    edit-2
    1 year ago

    In addition to what was suggested before, editing the title could disable hyperlinks in the title, adding anotger layer of protection from malicious edits.

  • @[email protected]
    link
    fedilink
    English
    51 year ago

    It would be important to ensure, that the URL can only be changed until a few minutes after submission to correct any mistakes.

  • @Hazen
    link
    English
    11 year ago

    One down vote?? Why lol