Pepsipurgatory

Pepsi Purgatory Anihilitics Department

@Pepsipurgatory

log inask
Pepsipurgatory
@Pepsipurgatory
idadeerz
@idadeerz
idadeerz
@idadeerz

y'know

i love cohost, but there's several bugs and other quirks i've discovered on here that are... kind of site-breaking if you'd ask me. it's great that nobody has misused them yet other than me and my friends testing things out, but it's also the kind of stuff that i could see going wrong very easily?

the other day i discovered there's no cap on image resolution. what's stopping someone from completely crapping up the timeline with thousands of posts with high resolution images like the one i posted a few days ago? since i also discovered there's no ratelimit on asks, what's stopping someone from making a bot that just fills people's asks up with high resolution images that just crash the asks page instantly? i know you can't upload images in asks, but you can link them from elsewhere, and @MagicalMya tried this out on my alt's asks page and it just made it completely unusable because of all the lag. it doesn't even need to be asks with images in them; i could theoretically just run an autoclicker that spams empty asks indefinitely if i just happen to feel like making anyone's asks page totally unusable.

honestly, what are the chances someone could DDoS cohost using bugs like these? i'm not some kind of epic hacker who knows what they're talking about, and i'm sure cohost has protections against that already. but i do think about it often, and i want to ask the question regardless. could that happen somehow?

You must log in to comment.

in reply to @idadeerz's post:

artemis
@artemis

blows the dust off my infosec witch hat in the corner which I now only wear on special occasions

As to the DDoS-ability of these things against cohost:

  • An uploaded-to-cohost image with absurdly high resolution but low file size could cause a problem, because they generate a smaller resolution as a preview. This means its unlikely to cause crash for a client. It might cause their preview generator to eat up way too much ram. Or their preview generator might have a resolution limit above which it refuses to generate a preview. Those are the two options there I think- maybe an error in either case causes a cascading failure too though.
  • An embedded image with an absurd resolution or filesize will not cause any issues for cohost-the-service, because they don't process the actual images in that case. but it definitely causes a problem for clients. Honestly, given the ubiquity of embedded images across other sites like forums for so long I'm surprised it doesnt get more abuse there
    • But, this is part why GitHub for example, doesnt actually leave direct image links in the README html-render, and instead downloads them on demand and re-hosts them from their own servers
      • And also to avoid IP address-leaks, and you already know about that one :p
    • They should probably factor image height into "read more" placement and hide super long media posts
  • Spamming asks or posts is probably not going to kill the servers if I had to guess because I doubt that's an expensive thing to have a lot of server side, but it's also a problem on clients
    • I extremely agree there should be a rate limit, that seems pretty important

I think that if there's currently a bug that can be exploited to nuke the servers (and there probably is somewhere, thats software babyyyyy), its going to be a lot more subtle than any of these. But subtle in the way where as soon as someone points it out it it seems exceedingly obvious.

Most of the things that make me go "uh... hmm.. wel, hm....................." that I run into are things that cause issues for site users rather than servers. which is ALSO a problem, especially if used as an abuse vector (but even if its on accident). It's a different class of problem. But it does worry me- I just haven't said much about them because I'm not sure if there's a proper channel for discreetly reporting security-ish bugs so I don't also arm people with the knowledge to exploit it themselves.

login to reply
Pinned Tags