Hi! Recently, I’ve made a few clickbait links using OpenGraph meta tags and I’ve noticed that Discourse never shows the target URL, but instead relies on the spoofable meta tags to let a user know what they’re clicking on. For example, here’s a real article on The Verge:
However, if I copy and paste the tags into my own site, I can make a replica of the real article’s preview without any indication it’s not the original.
This seems dangerous because users can click on a “trusted site” and actually go to something completely different. I’m suggesting that instead of showing the article’s publish date, it shows the target site’s domain or a truncated URL.
Hovering over the link does show the target site’s URL - in your first example. In the 2nd it shows your “fake” URL. Granted, not everyone will bother to even check, but simply click away.
Thanks, I guess I missed that. What about mobile users, though? Is there something similar for them? I still think it could be a bit more obvious for everyone…
I think he means he may have found an exploitable feature. He did he create clickbait links to look like trusted sites. The one thing wrong with this scenario is that the user who posts it is also identified. This could be a problem if anonymous users post something like this.
I’m not a moderator on any forums I use, so I don’t have any control over that. Twitter, Facebook, and Apple Link Previews all show the target link, and Discourse doesn’t. Prior to the original post, I actually shared a fake link “announcing” the shutdown of the byte app on their forums without realizing it wouldn’t show the real link. My link redirected to a BlackLivesMatter hub, but still shows the potential of abuse this could have. Byte is shutting down (not really) - General Discussion - the byte community forums
