telegram+github ?ref= cache poisoning
Date: Message-Id: https://www.5snb.club/posts/2024/telegram-github-ref-cache-poisoning/
Tags: #hack(6) #security(4)
Link to a github repo with a ?ref= parameter, such as
https://github.com/teslamotors/ruby-smpp?ref=elon%20musk%20fucking%20sucks. The ref doesn’t need
to be a valid reference in the repo (or any fork), it’s completely freetext. Then post that link
somewhere on telegram. Then, anyone who posts that repo will get the ?ref parameter in the embed.
The ref parameter shows up at the top, to the right of the repo name. This is posted by someone who is not me, so it works cross-user too.
This only works for links that haven’t been cached yet, so you may need to pick a less popular URL
or manually invalidate the cache using @WebpageBot. Just posting the
link with ?ref= to that bot works fine.
I discovered this funny behavior when reading Filippo Valsorda’s blog,
which consistently uses ?ref=words.filippo.io to point to urls, even github ones. “at
words.filippo.io” would show at the end of the title. Then I went and checked if it showed in
embeds, which it does. And then it turns out that telegram (not discord or matrix) strips out the
?ref= parameter when determining the cache key for an embed.
On github’s side, you can use silly characters like RTL override, but because it shows up in the title at the end, you can’t do much with that. Maybe someone else can find something silly to do with this, but I couldn’t. Yes, I’ve tried script injection.