FilterHN

Instagram's URL Blackhole

203 points

by tkp-415

1 day ago

| past

| 11 comments

| medium.com

| HN

▲

ghxst

5 hours ago

[-]

The use of "storage.googleapis.com" is probably because it's an "authority" domain that apps can't easily ban without side effects. Buckets can typically be used as a static site host where u can host a client side redirect, depending on how you set it up you can make it almost impossible for an app to ban a campaign in real time.

▲

notpushkin

5 hours ago

[-]

This has some good uses, by the way! VPNs and news websites that are blocked in Russia use it to either mirror content or redirect to the newest version.

▲

written-beyond

12 hours ago

[-]

I want to thank you dear poster and author, I feel genuinely refreshed reading a short interesting post sans status quo topic.

Waiting for the next part!

▲

0______0

9 hours ago

[-]

Right? It's so short and...just ends. Been too fatigued reading essays on just about everything. I loved this one.

▲

jen729w

4 hours ago

[-]

Alas Medium interrupted my journey to that nirvana.

▲

ticoombs

3 hours ago

[-]

I have blocked medium.com because of that. Same as the SEO spam dev.to.

It's actually interesting how often I end up seeing the uBlock 'blocked' page because of it. And how blind I end up being to the serp domains.

I of course can click the bypass button on a case by case basis.

▲

amne

2 hours ago

[-]

At this point it must be intentional that there's always something uncanny about these fake pages. That google logo is so old that if I see it I immediately know to get out of there.

So I find it fascinating how there's always the odd typo, the old logo, the impossible combination of iPhone needing an antivirus, etc and I refuse to believe is incompetence.

▲

flomo

2 hours ago

[-]

Entirely intentional because they want to filter out anyone who can see how scammy it looks, so they don't waste their time. This is bulk spam stuff. If they are actually targeting you, it will look very real.

▲

efilife

26 minutes ago

[-]

I found an e-mail spam service that said they needed to have typos on their website because it was better indexed for their target audience this way?

Weird

▲

wongmjane

5 hours ago

[-]

> CYBERSECURITY_PHISHING_FOA (likely Foreign Origin Actor)

That’s probably “Family of Apps” instead, referring to the family of apps that Meta owns (e.g. IG, FB, WhatsApp, etc)

▲

samename

12 hours ago

[-]

Ironic the Apple App store allows a "phone antivirus" to exist.

▲

xp84

8 hours ago

[-]

Almost unbelievable that they allow this - except of course they do, because scamware makes a ton of money via in-app purchase, and Apple gets 30%, so of course they do. I'm sure people will come out of the woodwork now to white knight for Apple and spin this somehow. But anything that offends their business model can be removed in minutes, while software that by its title violates the App Store rules is just here indefinitely.

▲

9dev

2 hours ago

[-]

I'm pretty sure that one made it through the review for some reason, you don't typically see these apps in the App Store.

▲

ronsor

11 hours ago

[-]

Funnily enough that's given as an example of a prohibited type of app in their review guidelines.

▲

cwillu

3 hours ago

[-]

@PlatoIsADisease (because dead comments can't be replied): the term WalledGarden has been a term for this and related concepts since long before marketing-speak had completed the takeover of the internet.

▲

krackers

10 hours ago

[-]

But it's rated 4.4 stars! I'm guessing it hoovers your contacts and tries to get you to sign up for the IAP subscription.

▲

jsheard

10 hours ago

[-]

The meta these days is bundling dodgy SDKs which turn the device into a residential proxy, which then gets sold on to the highest bidder. Mostly AI companies, whose desire to scrape literally everything has driven demand for that type of malware into the stratosphere.

▲

halapro

6 hours ago

[-]

Curated App Store, they said. Might have been true in 2010

▲

hdjY28

10 hours ago

[-]

FOA means “family of apps”. Source: Meta’s quarterly earning reports

▲

neya

8 hours ago

[-]

How does Apple allow this? Here I thought the App Store was supposedly superior to the Android eco-system and that's why Apple justified the insane 30% tax on developers back then

▲

conception

5 hours ago

[-]

Google Play was also 30%?

▲

neya

5 hours ago

[-]

Yeah but Google always allowed you to bypass that by allowing users to install apps outside of their store. Whereas Apple pitched it as a security concern only to allow whoever paid them a nice fat commission

▲

est

6 hours ago

[-]

It's fun and all, is there a way to safely host .html but does not allow rendering it?

CORS? sec-fetch-dest, sec-fetch-mode and sec-fetch-site ?

If storage.googleapis.com weren't operated by Google, the domain would be blocked by Google's "Safe Browsing" long time ago.

▲

gruez

6 hours ago

[-]

Serve it with content-type set to text/plain and browsers won't try to render it. You can try a random html file on github. If you click raw it'll get rendered as text.

▲

svens_

2 hours ago

[-]

This assumption has unfortunately led to countless security issues, at least in the past. The nosniff header (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/...), was created because of this and should be added.

While this probably works, you should also add a restrictive CSP (using the sandbox directive).

Forcing the download (via Content-Disposition header) would likely be even better, but it is annoying for users.

▲

kccqzy

5 hours ago

[-]

> If storage.googleapis.com weren't operated by Google, the domain would be blocked by Google's "Safe Browsing" long time ago.

Not true. You just need to make it an eTLD by adding it to the public suffix list. Only subdomains of domains on the PSL can be marked by Google’s Safe Browsing.

▲

selridge

12 hours ago

[-]

Ironic seeing this as a medium post.

▲

alex1138

10 hours ago

[-]

I thought this was going to be about how links have become harder and harder to follow on Insta. The login walls got progressively stronger (it feels like) and now it's just hard blocked

Sorry, Zuck. Not signing up for Insta, though you probably made a shadow profile of me

▲

paulpauper

12 hours ago

[-]

lol "your iphone is severely damaged by viruses"

Facebook was known to aggressively filter URLs too if posted too often.