• titter@lemmy.world
    link
    fedilink
    arrow-up
    152
    arrow-down
    1
    ·
    edit-2
    11 months ago

    This is awesome. We need more of this to help us fight the coming war

  • s12@sopuli.xyz
    link
    fedilink
    arrow-up
    90
    ·
    11 months ago

    Thought that seemed really cute. Nice way to try to break through social anxiety.

    Then I saw that it started as a wrong number message. Then I realised…

    Damn scam bots!

  • tourist@lemmy.world
    link
    fedilink
    arrow-up
    50
    ·
    11 months ago

    why bother with the variations?

    think they’re hoping to knock the same victim more than once?

    messed up

    • PM_Your_Nudes_Please@lemmy.world
      link
      fedilink
      arrow-up
      66
      ·
      11 months ago

      Probably a basic way to evade spam detection. If you start sending the exact same message to 500 people, most chat services will shut that shit down in an instant. But if you send unique messages, it makes you look more like a real person, and the chat system may let it slide.

      • Adalast@lemmy.world
        link
        fedilink
        arrow-up
        9
        ·
        11 months ago

        What’s bad is that modern spam detection can employ semantic algorithms so it would still catch all of them as the I’m as message. The use of synonyms in the optionals is a huge vulnerability in the scam.

    • xmunk@sh.itjust.works
      link
      fedilink
      arrow-up
      30
      ·
      11 months ago

      So that their fixed script isn’t so predictable that we can just nuke them by looking for identical conversations.

    • Jknaraa@lemmy.ml
      link
      fedilink
      arrow-up
      6
      arrow-down
      1
      ·
      11 months ago

      Could be to match the style of the target, to try and make the conversation feel more natural for them.

  • MyFeetOwnMySoul@lemmy.ca
    link
    fedilink
    arrow-up
    43
    ·
    11 months ago

    How does this exploit work? I understand that inputs were not sanitized, but what did the injected code do?

    • powerofm@lemmy.ca
      link
      fedilink
      arrow-up
      67
      ·
      11 months ago

      My guess would be the response text is passed through a rudimentary templating engine that looks for { and }. Somehow it must be processing the whole chat history. The templater fails at the unexpected braces in the code block and then just gives up (probably a try-catch ignores the error and sends the message anyway).

    • kromem@lemmy.world
      link
      fedilink
      English
      arrow-up
      46
      ·
      edit-2
      11 months ago

      I don’t think the code is doing anything, it looks like it might be the brackets.

      That effectively the spam script has like a greedy template matcher that is trying to template the user message with the brackets and either (a) chokes on an exception so that the rest is spit out with no templating processor, or (b) completes so that it doesn’t apply templating to the other side of the conversation.

      So { a :'b'} might work instead.

    • titter@lemmy.world
      link
      fedilink
      arrow-up
      1
      ·
      11 months ago

      Mask slipped? The bot saw a person speak code and was like l, rips off mask Comrade!