Git bisecting reveals https://git.mills.io/yarnsocial/yarn/commit/3a760502be273c306b488f8815adfd85b97a37f0 from five weeks ago. This updates all sorts of dependencies. Markdown and lextwt jump into my eye. These are my best bets so far.
@lyse@lyse.isobeef.org I think it’s these lines of code: https://git.mills.io/yarnsocial/yarn/src/commit/5101ec240ddb0e5e39809bf8a7b847508b3ac298/internal/feed.go#L162-L166
@prologic@twtxt.net Yep. Doesn’t matter if JS in turned on or not. So it is somewhere hiding in the Go core. Some replacement going berserk, I’d say.
It happens to each bracketed text individually: https://lyse.isobeef.org/tmp/bracketed-text/triple.png
But then the question still is, why on earth does it happen to old twts, too? I’m getting into my code excavator.
It’s also (expectedly) in the feed file on disk:
2024-08-04T21:22:05+10:00 [foo][foo=][foo][foo=]
@lyse@lyse.isobeef.org Holy fucking shit! You’re right! You got me out of bed for this one, I spun my local dev instance and entered a Twt with [foo]
and ended up with [foo][foo=][foo][foo=]
wut da actual fuq?! 🤔
The reason I think this is some kind of attack is based on the repeated content and some of its uniqueness 🤔 This is so uncharacteristic if both victims 🤔
@stigatle@yarn.stigatle.no Nice one 🥳 Kooking really good! 👌
@lyse@lyse.isobeef.org I’m not sure this is a bug to be honest? What possible code could cause this?! 🤔
Righto, @prologic@twtxt.net, I just checkout out current main of yarnd (commit 5101ec240ddb0e5e39809bf8a7b847508b3ac298) and ran make dev
. After registering a user and logging in, I then entered a twt with double bracketed text (without the equal sign on the second one, though) and it was expanded into eight brackets. So, this is clearly a bug. Let me dig deeper.
I hope I zoomed in enough, so you can read the stuff on my screenshot: https://lyse.isobeef.org/tmp/bracketed-text/bug.png
@lyse@lyse.isobeef.org Thank you! 🙏
@prologic@twtxt.net To clarify, I meant some kind of a cache poisoning attack using the gossipping mechanism to inject garbage on purpose. Not hijacked user accounts.
However, since this all relates to bracketed text, I do not find an attack of some sort very likely. It’s probably just a bug somewhere.
Media upload works, light\dark theme enabled. Tested it on debian\windows - works out of the box, statusbar moved to bottom for cleaner UI. Next is working more on ui when it refreshes the timelines. .
@prologic@twtxt.net Here’s an attempt at an analysis: https://lyse.isobeef.org/tmp/bracketed-text/
I just set up a cronjob to fetch and analyze both feeds every six hours. I probably have to do some dedup, otherwise the list gets out of handy rather quickly.
How do the feeds look on disk? Do they already contain this bracketed text?
Because the handle just serves the Twtxt file directly.
@bender@twtxt.net / @mckinley@twtxt.net could you both please change your password immediately? I will also work on some other security hardening that I have a hunch about, but will not publicize for now.
Hmm I see it! It’s so obvious 🤦♂️ I smell an attack of some kind.
@lyse@lyse.isobeef.org No problems! Is it stils in the list when I redo this search, it’ll be gone 😅
@lyse@lyse.isobeef.org This is really weird. Do you have an example of this bracketed text? Re peers, I’m aware of all the peers, nothing surprising there.
And now, @bender@twtxt.net’s feed changed, too. Bracketed text got duplicated once again.
How do the feeds look on disk? Do they already contain this bracketed text?
For reference, I just placed a copy of the feed here: https://lyse.isobeef.org/tmp/bracketed-text/bender-2024-08-04-10-34.txt
I haven’t marked the changed twts by @mckinley@twtxt.net as read last time, so I don’t know if something changed there as well. In any case, current snapshot: https://lyse.isobeef.org/tmp/bracketed-text/mckinley-2024-08-04-10-39.txt
Yarnd gossipping might be the reason for the truncated stuff, @prologic@twtxt.net. Who are your peers? Any obvious broken yarnd version or even some kind of an attacker involved? But there must be something else broken in yarnd for the bracketed text to be duplicated.
@bender@twtxt.net This one had me laugh real hard! :‘-D Well done, mate.
@prologic@twtxt.net Ah, I already forgot that I had a backup user Let’s get rid of this guy. :-)
yarnc debug <url>
only sees the 2nd hash Media
@prologic@twtxt.net In that screenshot (https://twtxt.net/media/7c3rEWveU64SAxrXZ6CDYS.png), all the bracketed stuff is duplicated again, compared to lyse’s original twt. I suspect that’s the cause for the changed hash.
I could not reproduce this by manually duplicating those text areas in lyse’s twt. I end up with the hash pjdciga
instead, but I probably mistyped something.
@prologic@twtxt.net Still expands to almost the correct raw twt, though: https://movq.de/v/c6243a9e61/s.png
@prologic@twtxt.net, what makes your mention of my handle show differently like this?
@mckinley@twtxt.net That’s actually all I used it for myself 👌 All those other “bells ‘n whistles” are really just Traefik supporting lots of alternate setups and drivers for discovery, etc.
@bender@twtxt.net LOL 🤣
@bender@twtxt.net LOL 🤣
@prologic@twtxt.net no worries! It pains me to find bugs in Yarn, though. I want it to be flawless, you know, like Microsoft Windows. 🤭
@mckinley@twtxt.net Caddy is simpler and act as both, web server and a reverse proxy. Traefik is only—albeit on steroids—a reverse proxy.
@mckinley@twtxt.net it is opt-in because all your devices logged into the same iCloud account need to be at a compatible level. You also have to have a designated recovery account member which, obviously, you need to manually add.
@prologic@twtxt.net ah, fuck it, don’t worry. I consider one the original (I flip a coin to pick which), and the other’s a backup, just in case. 😂
@bender@twtxt.net That’s great, actually, but it’s a shame you have to opt in to it.
@prologic@twtxt.net Ah yes, the other Go reverse proxy. Caddy seems simpler to me, more like Nginx with better defaults and a built-in ACME client. Traefik seems to have way more bells and whistles for all kinds of crazy setups when I only need to map domain names to containername:port pairs.
$ wc -l inactive.txt
152 inactive.txt
👋 At some point over the next day or two I will be deleting the following feeds/accounts:
https://gist.mills.io/prologic/ae61ae2bfba6401e8955a33394fd858b
If anyone spots anything on this list that shouldn’t be deleted, please let me know! 🙏
@movq@www.uninformativ.de@ does not hmmm
@prologic@twtxt.net works
The mobile autocomplete bug is something I can reproduce and likely fix soon™ – I think its happenning because I accidentally nuked this pod’s cache the other day (sorry!) 😢 – But it is also a bug 🐛
Like what was this meant to be anyway?
"[Scheduled][Scheduled=][Scheduled][Scheduled=][Scheduled][Scheduled=][Scheduled][Scheduled=]"
As for @mckinley@twtxt.net ’s odd Twt, I only see one instance of this:
2023-01-09T22:42:37Z (#dusjj6a) @<lyse https://lyse.isobeef.org/twtxt.txt> As far as I know, they're still visible in the Web UI. Although, in the mobile app and youtube.com, I believe it tells you that the video isn't available without having to click on it. They don't tell you that in the RSS feed, and I agree; it gets annoying.
If we had a custom feed generator that hooks directly into the YouTube API, I'll bet we could find that information and put "[Scheduled][Scheduled=][Scheduled][Scheduled=][Scheduled][Scheduled=][Scheduled][Scheduled=]" in the title for premieres and remove it when the video is available.
And I have no fucking clue how this happened. I can’t imagine anything in the yarnd
codebase would be responsible for this weirdness 🤣
@mckinley@twtxt.net Nah it wasn’t me, trust me 🤣 I actually use Traefik for my ingres.
I don’t think I’m smart enough to figure this out 😅
I can’t explain this. I’m leaning towards a peering pod being responsible for producing a different hash, and twtxt.net pulling that in from a peer. But that would only happen if my pod doesn’t have the Root Twt ans asked its peers for it. And that implies other pods are producing incorrect/different hashes “somehow”. So all of that seems highly unlikely tbh.
bsormva
is not a hash found in @lyse@lyse.isobeef.org ’s feed at all according to yarnc debug
which is printing the hash and corresponding Twt per line.
That is this one:
ta6uu5q 2024-08-03T19:30:00+02:00 (#puxvjcq) Hmmm, what is going on here? ...
A equivalent yarnc debug <url>
only sees the 2nd hash
All the “magic” might be nice in the short term, but as it becomes the default it can paper over some really questionable decisions when it’s too late to change them. This can be applied to a number of things in computing but the best example I can think of is networking. (Side note: That’s one of my favorite blog posts ever.)
Things start out simple and got more complicated until someone figures out how to cover up the mess. Then, since nobody wants to get in there and fix it properly and everyone else has already moved on, we just ignore what’s behind the curtain and hope it all keeps working.
Computers aren’t meant to give me three different answers 🤣