Nov 25, 2024 13:10:00

A way to create a website on Bluesky for free has been developed

Software engineer Daniel Mangum has developed a way to host a website using Bluesky's servers and domains, and has written a blog post about it.

This Website is hosted on Bluesky

https://porcini.us-east.host.bsky.network/xrpc/com.atproto.sync.getBlob?did=did:plc:j22nebhg6aek3kt2mex5ng7e&cid=bafkreic5fmelmhqoqxfjz2siw5ey43ixwlzg5gvv2pkkz7o25ikepv4zeq

This Website is Hosted on Bluesky · Daniel Mangum
https://danielmangum.com/posts/this-website-is-hosted-on-bluesky/

Mangum's technique is a known behavior in Bluesky, so his post does not disclose a vulnerability, but he did contact the Bluesky team before publishing the post.

Mangum's method is deeply related to the decentralized SNS protocol 'AT Protocol' used by Bluesky. You can learn more about how AT Protocol works by reading the following article.

What is the decentralized SNS protocol 'AT Protocol' used by the popular SNS 'Bluesky'? - GIGAZINE

In the AT Protocol, you can host your own data using a Personal Data Server (PDS). A PDS has its own ID and can provide services completely independently within the network. Bluesky is one of the PDSs. Individuals can also prepare their own PDS, and PDSs can work together, so you can 'reference data stored in a personal PDS from other PDSs such as Bluesky', making it possible to operate a decentralized SNS.

Since the PDS also has the ability to authenticate accounts, when attempting to log in to an SNS that is connected via the AT Protocol, it is necessary to specify the address of the PDS that contains your data. Because it is troublesome to specify each time which PDS your account is on, Bluesky provides a function called ' PDS entryway '. Using PDS entryway, it is possible to connect to any PDS via Bluesky.

In addition, in the AT Protocol, when posting with an image, the image data is first saved on the server as a binary large object (Blob) , and then a post with an embedded reference to the image is created. Although it appears to the user that posting can be done in one process, in reality two processes, 'uploading the image' and 'posting', are required.

First, Mangum used the AT Protocol API installed on Bluesky to upload an HTML file as a blob. If you upload a blob by itself, it will only be stored in a temporary location on the server, and it will not be accessible from outside and will be deleted after a certain period of time. By posting a reference to the blob, you can make the blob permanent.

However, Bluesky posts are limited to only being able to reference image blobs, and an error occurs when trying to embed a reference to an HTML file. So Mangum created a new collection and type called 'com.danielmangum.hack.website' and posted a reference to the HTML file blob.

Because it is a unique collection and type, the post will not be displayed in Bluesky, but we were able to successfully make a 'post with a reference to an HTML file', and the HTML file has been persisted and is now accessible from outside. If you access the site, you will see that the URL of the Bluesky Blob is displayed.

'This is essentially free hosting, with a lot of storage and egress charges piling up, and it's also a security risk,' Mangum said.

Mangum discovered that Bluesky's legitimate type, app.bsky.feed.post, can use a 'union' type that combines multiple types as a reference to embed in a post, and that users can add types to this union type. By arbitrarily adding a type called 'sites,' it is possible to create a post that can be displayed in Bluesky and includes a reference to an HTML file.

The post below actually has a reference to an HTML file embedded in it. The HTML file reference seems to be ignored when displayed in Bluesky.

This post embeds a website.

[image or embed]

— Daniel Mangum ( @danielmangum.com ) November 25, 2024 1:19