maleviolent

loves to -atic your problems

  • xe/xir + it/its [NO THEY]

30+ ★ queer [&] neurodiverse
nonwhite ★ clinically disastrous ★ purveyor of too much media ★ govt assigned cagab is information you're not entitled to

account made 15/02/'24


maleviolent
@maleviolent

edit: Very kind user in comments has informed me that this is essentially just not possible on cohost unless the client is exploited and cohost has very pointed protections against remote loading of scripts.

(<-- has been in the cohost meta tag)
I think some people are missing the bigger point on this "ip address" business which isn't that the storage or knowledge of ip addresses matters -- no, it doesn't -- but that because cohost allows css in posts, it does make it possible for someone to potentially hide malware in their cute css crimes post (or even apparently normal appearing post). It has probably not happened yet and ideally it never would but bad actors exist and it may sometime happen. (What I am a little bit confused about is why people are suddenly realizing this is a possibility...).

Disclaimer that I know nothing really about computers (especially in comparison to the deeply knowledgeable crowd of computer touchers on cohost) but I am actually aware of the fact that places like forums and Wikipedia will publicly display your IP as a signature/username of sorts if you use it (by writing comments/updating articles) anonymously. Even 4chan logs your IP address. You literally need it to use the Internet


maleviolent
@maleviolent

I genuinely love to be wrong! Please ignore everything I said and feel cozycomfy safe using webbed site.


You must log in to comment.

in reply to @maleviolent's post:

that because cohost allows css in posts, it does make it possible for someone to potentially hide malware in their cute css crimes post (or even apparently normal appearing post). It has probably not happened yet and ideally it never would but bad actors exist and it may sometime happen. (What I am a little bit confused about is why people are suddenly realizing this is a possibility...).

What do you mean by this? There's no conceivable mechanism for this that is enabled by direct linking (which is what the "IP address exposure" issue is really talking about).

Hello! Some of your posts I saw around helped inform me about different details. Again, I Really Don't Know Computer Things. The comments on this post ( https://cohost.org/minecraft/post/5250583-fun-fact-these-are ) by @janederscore and @minecraft are my base of commenting. -- I guess I believed it was possible because it seems like it's something that's possible?

This is also the post that I think some people only saw the first three bits to it which was more about IP addresses and started teasing/making fun of users for being concerned about IP address stuff and I wanted to bring more attention to what @janederscore and @minecraft were saying. But I am not really a computer toucher so maybe I should not have said anything and have been stupid about this!

No, I'm not trying to rip on you, that was a sincere question since I don't know what sort of malware you could have been pointing at. So what I can tell you is that in the scenario those commenters are talking about, there's still no reasonable possibility of transmitting malware to the client. What they're talking about is executing code on the remote server (which happens basically any time you make a web request to any site), with the implication that the server-side code could do something nefarious. Frankly, I have to assume that the people in those comments also don't really understand what they're talking about and are running off half-remembered information they didn't really get in the first place

Oh, no, I know you're not -- or I wanted to believe so. It's me ripping on me because I'm keenly aware of how much I don't know and that I might be very silly in posting this and talking about it. I know a tiny bit about code (html + css; like, I can create a webpage/website👍if I spend a very long time on it 👍 but that's it) but the gap between what I know, how malware works, and what people who make malware want (and how they get it) is like... I feel that distance of knowledge.

Hmm, that... doesn't really make sense. (Server-side code doing something nefarious). Thank you for explaining!

Like, for example, is someone not capable of setting the background to a malicious file? Or because cohost's css capabilities are limited to only posts, is that not possible? (Whereas with the functionality of a space like tumblr where you could change the entire blog's code, it was definitely possible to place something malicious into the code).

It really isn't. Barring an exploit in the client which would allow malicious code to be embedded in an image (in which case Google is a much bigger risk to you than Cohost!) there's no way to transmit malicious executable code embedded in data like that. The only possible mechanism would be transmitting malicious Javascript in some executable form but Cohost has specific protection against remote loading of any scripts and every browser in the world has protection against embedded scripts in SVG files. Tumblr's customization allows (or I think allowed, past tense?) JS to be embedded but Cohost explicitly does not. Really if you read through those posts again, you'll notice the "exposure" is really just tracking IP addresses, a notional exposure of identifying information.

This is wonderful to know and I appreciate you explaining it to me in what's probably layman's terms I can understand. I'm going to remove my cohost meta tag and edit my post. Thank you for being patient with me! Sorry to add to the fearmonger pile (and for double replying sdfkhjdfh), but I really did think they had a point, because being able to add malicious code is something I was certainly capable of doing on, say, tumblr, but haven't really messed with cohost that much to know if it was possible or not (and also don't want to).
(What I'm referencing on tumblr, again, is that I forcibly redirected certain groups of IPs off my blog some years ago as a very firm "fuck you" to people I reasonably & broadly assumed were those I didn't want there because tumblr's blocking system is/was a nightmare. And being able to redirect people is definitely something that can go in a nasty way, so... If cohost was at all capable of anything remotely like that through interaction, then there lay my concerns -- but they're now abated!)

Yeah, Cohost has been very good about preventing even "non-destructive" exploits; at one point someone found a way to get around the restrictions on tags styled with "position:fixed" (that lets you put an HTML entity anywhere on the browser screen with no restrictions, it's a little hard to explain - and that should tell you something, CSS is already sanitized before they let you post it) and for a couple hours people - including myself, heh - were messing around with it so depending on which posts you saw, for a couple of hours peoples' timelines were blurry, purple, covered in rain and had a creepy transparent image of Giygas from Earthboard floating overtop, which was obviously not great! And so they fixed it within a few hours. There's just no real risk of malware period.

There is an information exposure in letting people just embed images, but "it's a CGI script/PHP/etc" is a complete red herring, and as I pointed out in those other posts the information exposure isn't... really a thing? The idea of a "doxxing engine" as that one person put in their tags for instance is just sheer paranoia

That sounds like it was so much fun. But I'm glad staff fixed it shortly after because it is reasonably a concern. Also glad nothing terrible happened (it sounds like) and people just had good clean chaotic fun. :p

As far as embedded images, you're talking about metadata?
I didn't even see the "doxxing engine" comment lol. From IP address??? That's definitely some paranoia.