Email or username:

Password:

Forgot your password?
Top-level
Elijah

@jonty @atatassault
did is a user id. if it fails, then "no worries it's just not found". then it calls the xrpc for what the did should be

so if you look at s3.amazonaws.com, the xrpc would be s3.amazonaws.com/xrpc/com.atpr. which funny enough returns a did that's equal to Chaz Schlarp's

so this isn't possible unless you can create /xrpc/com.atproto.identity.resolveHandle, so no cdn.discordapp.net or gist.github.com. still, really funny

1 comment
Elijah

@jonty @atatassault

you don't need to have a pds running to verify your domain, but it's a failsafe in case the dns doesn't work

what I am currently looking into is how to fix this lol, it's obviously intentional but I can't seem to see why and obviously if you can control what the domain is then you can impersonate the domain itself. which makes me wonder if other object storages are at risk

Go Up