←back to thread

Google flags Immich sites as dangerous

(immich.app)
742 points janpio | 7 comments | 22 Oct 25 20:53 UTC | HN request time: 0.658s | source | bottom
1. kevinsundar ◴[22 Oct 25 23:07 UTC] No.45676293[source]
This may not be a huge issue depending on mitigating controls but are they saying that anyone can submit a PR (containing anything) to Immich, tag the pr with `preview` and have the contents of that PR hosted on https://pr-<num>.preview.internal.immich.cloud?

Doesn't that effectively let anyone host anything there?

replies(4): >>45676432 #>>45676486 #>>45678610 #>>45679187 #
2. warkdarrior ◴[22 Oct 25 23:25 UTC] No.45676432[source]
Excellent idea for cost-free phishing.
3. daemonologist ◴[22 Oct 25 23:31 UTC] No.45676486[source]
I think only collaborators can add labels on github, so not quite. Does seem a bit hazardous though (you could submit a legit PR, get the label, and then commit whatever you want?).
replies(1): >>45676878 #
4. ajross ◴[23 Oct 25 00:32 UTC] No.45676878[source]
Exposure also extends not just to the owner of the PR but anyone with write access to the branch from which it was submitted. GitHub pushes are ssh-authenticated and often automated in many workflows.
5. rixed ◴[23 Oct 25 05:57 UTC] No.45678610[source]
So basically like https://docs.google.com/ ?
replies(1): >>45678742 #
6. jeroenhd ◴[23 Oct 25 06:14 UTC] No.45678742[source]
Yes, except on Google Docs you can't make the document steal credentials or download malware by simply clicking on the link.

It's more like sites.google.com.

7. tgsovlerkhgsel ◴[23 Oct 25 07:30 UTC] No.45679187[source]
That was my first thought - have the preview URLs possibly actually been abused through GitHub?