Something’s wrong on the Fediverse. Instance variables seem to be usable so that anyone can post a comment that seemingly applies to the recipient’s instance. Let’s call it the Deception Pattern.
It all started with a witty post from Skye \ Uzi :flag_transgender: (@skye) | void.rehab, mixing classical porn advertising pattern with $HOSTNAME$host$, which translates to your instance’s hostname for your users.
This post, seen on https://ps.s10y.eu/deck/@skye@void.rehab/113811566591739872 reads “hot girls on ps.s10y.eu in your area” which was readily reported as problematic, of course. Who wants porn ads on their generalist Fediverse instance with a CW policy for sexual content?
This is an (AFAICT unfixable, without something content addressed in the way) side-effect of authorized fetch. The instance asking for a post authorizes itself, and the instance answering doesn’t have to give the same content to everyone asking for it (otherwise it wouldn’t be able to refuse serving content to blocked instances!)
The variable substitution itself is being done on the sending instance via an unofficial patch, and this patch isn’t even the first time this has been implemented (although it significantly lowered the barrier on creating this style of posts), with the earliest example I’m aware of being several years old now (although my instance doesn’t seem to have the post cached so I can’t find it directly at https://puckipedia.com/4th-wall--talki (search on your instance instead of visiting remotely))
With nearly all the current implementations using an instance actor instead of real users for authorization (for most posts), only the instance itself can be reliably determined, so the impact is relatively minor (e.g. can’t reliably target individual users, as it all gets cached in the same database in the end)
