Dec 19, 2024 20:00:00

Bluesky's 'domain-based identity verification system' was misused, resulting in an incident in which a domain was acquired under the name of a celebrity and the real one was demanded to be bought back

Bluesky allows users to prove their identity by

setting their domain name as their handle name . It has become clear that malicious activity is occurring that takes advantage of this mechanism by acquiring domains under the names of famous people and demanding their domains be bought back.

So, Bluesky Has An Extortion Problem
https://tedium.co/2024/12/17/bluesky-impersonation-risks/

To register a domain you own as your Bluesky handle name, follow these steps: First, open the handle name change screen from the settings screen and click the button that says 'I own my own domain.'

The DNS records will then be displayed, and you can add the DNS records to your domain settings to use the domain as a handle. Only the domain owner has access to the domain settings, so you can prove that 'this account belongs to the owner of this domain.'

For example,

GIGAZINE's Bluesky account uses 'gigazine.net' as its handle name. This lets users know that it is a genuine GIGAZINE account because it matches the URL of GIGAZINE's official website ( https://gigazine.net/ ).

However, a blackmail incident occurred that took advantage of this identity verification system. The victim was Bloomberg columnist

Connor Sen.

Sen used Bluesky under the handle name 'conorsen.bsky.social', but on December 17, 2024, he received a message from someone who had acquired the domain 'conorsen.com' saying, 'I have acquired a domain in your name. You can choose to trade the domain or do nothing.' The perpetrator who acquired 'conorsen.com' set the display name to 'Conor Sen' and the icon to the same as the real one. In other words, the perpetrator is threatening to 'buy the domain if you want them to stop impersonating you.'

In addition, a fake account impersonating famous podcaster Sam Parr posted, 'Mr. Sen should make a deal. If he's making money online, buying the domain is a fair price to pay.' The Parr fake account also posted a link to 'conorsen.com,' which was apparently harvesting email addresses under the guise of a newsletter.

In response to this, the real Par asked the Bluesky team to remove the fake account. However, according to the overseas media Tedium, the Bluesky team temporarily blocked the real Par, not the fake account.

Hey @bluesky -- this guy's impersonating me. Anyway we can shut this down? https://t.co/BeSis6olLi

— Sam Parr (@thesamparr) December 17, 2024

Both the fake accounts of Mr. Sen and Mr. Par have since been blocked.

In response to the occurrence of this extortion incident involving the misuse of domain authentication, Tedium has pointed out that 'Bluesky places importance on domain identity verification, but in reality, impersonation fraud and cybersquatting are occurring that are abusing domains. Resolving these issues will be difficult, and it may be necessary to use the legal system,' and is calling for a review of the identity verification system.

Bluesky will update its policy on November 30, 2024, stating that it will strictly delete accounts that impersonate users or are engaged in cybersquatting.

Bluesky updates policy on impersonation and parody accounts, will delete accounts that are not clearly stated to be fake - GIGAZINE