Tumgik
#I mean i guess its an okay attempt at automating the process of giving infected users their accounts back?
oswald-privileges · 3 years
Text
Today on 'tumblr is Perfectly Functional With No Flaws Whatsoever'
so i know we're all going wild over TumblrPremiumPlus or whatever the fuck but ive made a new discovery about the r//a///yba//n/s scam (or new to me) and since i spent the time i should have been writing up my thesis proposal doing Tumblr Science instead, i have to at least write it down
so my datemate got an IM from someone asking what 'the sunglasses scam' was. That's in quotes bc the specific phrasing will be significant later.
my datemate replies with a message more or less along these lines:
"The sunglasses thing was about a bot that would hack accounts. Once it had access to an account it would make a post about Ray-Ban sunglasses and if you clicked the link in the post it'd hack you too."
Ey hits enter, but the message won't send. Not unusual, we all know that tumblr IM wil just randomly glitch out when it feels like it. So ey hits refresh, and abruptly finds emself on the log-in page.
"Hi! It's time to change your password!" the log-in page says.
My datemate is naturally suspicious about unexpectedly being asked to alter eir password, but, since ey practises basic cybersecurity and actually uses different passwords for every site, ey figures there won't be too much risk. Ey resets eir password, logs back in, and types out the message to eir friend again.
Same thing happens. Message won't send, ey's booted back out to the log-in page, and told to change eir password again. So ey do.
The third time this happens, ey figures something has to be wrong with the message. I've been watching over eir shoulder for a couple of minutes at this point, so we do a bit of Sciencing to work out what the fuck is going on.
Hypothesis: Tumblr IM is, for some reason, flagging mentions of ray-ban.
Experiment: I send various ray-ban related words and phrases to my datemate via IM. If any of them refuse to send and I get kicked out on refreshing, we've found the culprit
Results: "ray-ban" is fine. "sunglasses" goes through no problem. the precise phrase "ray-ban sunglasses" gets me drop-kicked to the log-in page like i was trying to start a fight in a nightclub (or so i assume. ive never actually been out clubbing)
I do a bit of fucking around on text posts with that phrase to see if that achieves the same effect.
Tumblr media Tumblr media
I even tried recreating the original scam post as close as i can get without linking to a malicious website.
Tumblr media
not a peep. i stay happily logged in.
so.
tumblrs solution to the ray-ban bots issue
was to blacklist the exact phrase "ray-ban sunglasses"
in the IM feature only
making it impossible
to TELL anyone
who uses the goddamn IM feature
about the goddamn scam
W E B B E D S I T E
45K notes · View notes