Open lumi4x opened 1 month ago
Yup! Thanks for the report.
As some context, the handle name in the mention and the DID in the facet are intentionally allowed to be mis-matched. The use-case for this is to have links (hyperlinks) continue to work if the account's handle is changed after the post is made.
Having a "new" post with a mismatch would mostly likely need to have been intentionally crafted to be misleading.
One possible mitigation for this would be to have the client detect the mismatch and re-write the post text, or display a warning. It is hard for clients to tell whether the change was intentionally misleading or due to a handle change.
A more likely mitigation is to scan new posts and indicate/label them as misleading if the handle doesn't match.
I am able to mention what seems to be "@bsky.app", but in practice direct to a malicious handle like so:
This is caused by richtext facets allowing any text to be marked as a mention (or URL in another case).
Example code: