Recently, whilst working on implementing automatic posting into BlueSky I ran into an issue with link-preview cards not being displayed.
In my other post, I described the need to do this as being a pain in the arse. However, there's more to it than that: having the ability to submit arbitrary card content is problematic because it can be used to facilitate disinformation campaigns.
Bluesky also uses facets, which allow the sender to turn text into arbitrary hyperlinks, presenting its own set of issues.
In this post, I'll explain why giving the sender control over these items is potentially harmful.
Note: I did email Bluesky detailing my concerns, but given that
- The ability to do this is publicly documented
- It turns out it's also something that BlueSky were already made aware of and have defended.
- Update: 2 weeks later, they've still not replied at all
There didn't seem to be any value in delaying disclosure: it's better to ensure there's awareness of the issue.