base on Bluesky / AT Protocol vulnerability disclosures and exploit framework # Bluesky
## What is this?
This repository contains [exploit modules](#exploit-list) for [Bluesky](https://bsky.app/), using a framework that simplifies the creation of new modules as new exploits are discovered.
## Why?
I have discovered a number of security vulnerabilities in Bluesky and [atproto](https://atproto.com/). Each time I've found something new, I've chosen to report it to Bluesky at [
[email protected]](mailto:
[email protected]), as requested at <https://bsky.app/.well-known/security.txt>, and provide them with details.
Bluesky has responded to ***only one*** of these reports, ***one time***, 4 days after submission, saying `"We appreciate the report, and we'll be taking a closer look at the issue."`. They did not follow up on that report and they have not responded to any of my other reports.
One particular issue that I first reported a month earlier was reported to Bluesky again, separately and unknowingly, by a second security researcher and a partial fix was committed later that day; however, Bluesky did not follow up with me to verify that the commit fully solved the issue (it did not) and there has been no acknowledgement publicly *or privately* of my contributions.
As a security researcher, I take security extremely seriously. It has become apparent to me that Bluesky does not take it quite so seriously.
Bluesky has been made aware on numerous occasions that the safety of all Bluesky users has been and continues to be at risk, yet they choose to do nothing.
If releasing tools to exploit these issues is what it takes to ensure that Bluesky begins to take security seriously and actually keep their users safe, then so be it. This is ***not*** the route I wanted to go, but they forced my hand.
## It's written in TypeScript? Really?
Yes. Fight me. I threw it all together in a single evening (with `eslint` and `prettier`, even) -- you shouldn't really expect much from this.
## Exploit List
### [post-disguised-link](src/exploits/post-disguised-link.ts)
`yarn start exploit pdl --auth-token '...' --post 'Benign text with fake URL: https://google.com/search?q=puppies' --uri 'https://nefarioussite.com/' --start 27 --length 35`
Creates a post with the text `--post`, which contains a disguised link to `--uri`, using `--length` characters starting from `--start` as the link text.
> **Jason Parker** @handle.invalid · **12m**
> Benign text with fake URL: [https://google.com/search?q=puppies](https://nefarioussite.com/)
### [post-fake-link-card](src/exploits/post-fake-link-card.ts)
`yarn start exploit pflc --auth-token '...' --post 'Wow, neat.' --uri 'https://cnn.com/' --title 'World Leader dead at 42.' --description 'According to their spokesperson, World Leader was found dead in their home on Tuesday night. They were 42.'`
Creates a post with the text `--post`, which includes a link card to `--uri` with a title of `--title` and description of `--description`.
Note: Link cards can contain arbitrary thumbnails, but they are not currently supported here.
![](src/exploits/post-fake-link-card.png)
> **Jason Parker** @handle.invalid · **12m**
> Wow, neat.
>
>> [cnn.com](https://cnn.com/)
>> **World Leader dead at 42.**
>> According to their spokesperson, World Leader was found dead in their home on Tuesday night. They were 42.
## How?
`yarn build` to build.
`yarn start` for a list of commands.
`yarn start exploit` to show a list of available modules.
`yarn start exploit <name> [args...]` to execute a particular exploit.
`--auth-token` can be obtained from the Authorization header, via Developer Tools in a web browser. The authorization scheme (`Bearer`) is added here automatically and should not be included in the argument.
## Contact
Jason Parker
Email: [north@ꩰ.com](mailto:north@ꩰ.com)
Mastodon: [@north@ꩰ.com](https://ꩰ.com/@north) / [@
[email protected]](https://fosstodon.org/@north)
", Assign "at most 3 tags" to the expected json: {"id":"1511","tags":[]} "only from the tags list I provide: [{"id":77,"name":"3d"},{"id":89,"name":"agent"},{"id":17,"name":"ai"},{"id":54,"name":"algorithm"},{"id":24,"name":"api"},{"id":44,"name":"authentication"},{"id":3,"name":"aws"},{"id":27,"name":"backend"},{"id":60,"name":"benchmark"},{"id":72,"name":"best-practices"},{"id":39,"name":"bitcoin"},{"id":37,"name":"blockchain"},{"id":1,"name":"blog"},{"id":45,"name":"bundler"},{"id":58,"name":"cache"},{"id":21,"name":"chat"},{"id":49,"name":"cicd"},{"id":4,"name":"cli"},{"id":64,"name":"cloud-native"},{"id":48,"name":"cms"},{"id":61,"name":"compiler"},{"id":68,"name":"containerization"},{"id":92,"name":"crm"},{"id":34,"name":"data"},{"id":47,"name":"database"},{"id":8,"name":"declarative-gui "},{"id":9,"name":"deploy-tool"},{"id":53,"name":"desktop-app"},{"id":6,"name":"dev-exp-lib"},{"id":59,"name":"dev-tool"},{"id":13,"name":"ecommerce"},{"id":26,"name":"editor"},{"id":66,"name":"emulator"},{"id":62,"name":"filesystem"},{"id":80,"name":"finance"},{"id":15,"name":"firmware"},{"id":73,"name":"for-fun"},{"id":2,"name":"framework"},{"id":11,"name":"frontend"},{"id":22,"name":"game"},{"id":81,"name":"game-engine "},{"id":23,"name":"graphql"},{"id":84,"name":"gui"},{"id":91,"name":"http"},{"id":5,"name":"http-client"},{"id":51,"name":"iac"},{"id":30,"name":"ide"},{"id":78,"name":"iot"},{"id":40,"name":"json"},{"id":83,"name":"julian"},{"id":38,"name":"k8s"},{"id":31,"name":"language"},{"id":10,"name":"learning-resource"},{"id":33,"name":"lib"},{"id":41,"name":"linter"},{"id":28,"name":"lms"},{"id":16,"name":"logging"},{"id":76,"name":"low-code"},{"id":90,"name":"message-queue"},{"id":42,"name":"mobile-app"},{"id":18,"name":"monitoring"},{"id":36,"name":"networking"},{"id":7,"name":"node-version"},{"id":55,"name":"nosql"},{"id":57,"name":"observability"},{"id":46,"name":"orm"},{"id":52,"name":"os"},{"id":14,"name":"parser"},{"id":74,"name":"react"},{"id":82,"name":"real-time"},{"id":56,"name":"robot"},{"id":65,"name":"runtime"},{"id":32,"name":"sdk"},{"id":71,"name":"search"},{"id":63,"name":"secrets"},{"id":25,"name":"security"},{"id":85,"name":"server"},{"id":86,"name":"serverless"},{"id":70,"name":"storage"},{"id":75,"name":"system-design"},{"id":79,"name":"terminal"},{"id":29,"name":"testing"},{"id":12,"name":"ui"},{"id":50,"name":"ux"},{"id":88,"name":"video"},{"id":20,"name":"web-app"},{"id":35,"name":"web-server"},{"id":43,"name":"webassembly"},{"id":69,"name":"workflow"},{"id":87,"name":"yaml"}]" returns me the "expected json"