Email or username:

Password:

Forgot your password?
Top-level
Elijah

@jonty @atatassault

ok so I looked into this:

to change your handle in bluesky you need to call the updateHandle function which passes through some things. first it validates if the handle is valid (which does not validate punycode 💀)

assuming you have a handle like s3.amazonaws.com, that's not one of the "supported domains" in bsky.social's pds (instance) so it has to go through an extra function called resolveExternalHandle. it will first check if it has a txt record with did={did} where..

2 comments
Elijah

@jonty @atatassault
did is a user id. if it fails, then "no worries it's just not found". then it calls the xrpc for what the did should be

so if you look at s3.amazonaws.com, the xrpc would be s3.amazonaws.com/xrpc/com.atpr. which funny enough returns a did that's equal to Chaz Schlarp's

so this isn't possible unless you can create /xrpc/com.atproto.identity.resolveHandle, so no cdn.discordapp.net or gist.github.com. still, really funny

@jonty @atatassault
did is a user id. if it fails, then "no worries it's just not found". then it calls the xrpc for what the did should be

so if you look at s3.amazonaws.com, the xrpc would be s3.amazonaws.com/xrpc/com.atpr. which funny enough returns a did that's equal to Chaz Schlarp's

Elijah

@jonty @atatassault

you don't need to have a pds running to verify your domain, but it's a failsafe in case the dns doesn't work

what I am currently looking into is how to fix this lol, it's obviously intentional but I can't seem to see why and obviously if you can control what the domain is then you can impersonate the domain itself. which makes me wonder if other object storages are at risk

Go Up