Anyone else think that the like button in Lens apps should look like this? 😁 🫶
PSA: Hey.xyz is sharing privileged access to your account without your consent.
I’ve just discovered that Hey is sharing profile access tokens with Orb whenever you simply view a Club page. What does this mean?
When you log into a Lens app you sign a message with your wallet that creates an “access token” for your profile. This enables the app to access your protected information and perform actions on your behalf, using the Lens API. It acts as a sort of temporary password for your account. Anyone with this token has privilege to do things like:
Normally only apps that you have explicitly logged into can do these things, but when you simply open a Club page on Hey your access token is sent to Orb’s private servers, where they can do whatever they want with it. The Orb API requires these tokens to function and there’s no way to verify what they’re doing with them.
Even if you’ve never used Orb, or explicitly don’t trust Orb with access to your account, simply viewing a Club on Hey gives them full access to your Lens Profile.
This is yet another example of how Orb Clubs are the antithesis of Web3, and a great example of why you should only use open source Web3 apps, where you can verify the code yourself (or rely on trusted devs to be watchdogs).
I’m calling on @yoginth to implement a clear consent prompt for sharing this sensitive access, and for @orb to embrace the fundamentals of Web3: permissionless ownership and access.
If you’re concerned about this, or want to revoke your existing access tokens, you can do so from <hey.xyz/settings/sessions>. Then simply avoid visiting any Club page on Hey until proper measures are taken.
Note that these access tokens do not give apps the ability to transfer tokens on your behalf. If you already actively use Orb, there’s no real reason for concern.
For anyone posting about free speech and “free Durov”, be sure to do a bit of research so you’re informed on the broader scope of the situation.
Frames Kinda Suck (But They Don’t Have To)
It’s cool to see Lens Frames being supported by more apps, but I fear that the hype around Frames has passed, and now we’re stuck in the trough with a user experience that kind of sucks.
The Good
Frames allow for some interesting use cases, effectively turning links into interactive mini-apps. This is especially interesting when combined with onchain activity, like using Open Actions, and passive games.
Frames are built on the Open Graph meta tags system. This is something you’ve likely seen in many social apps — it’s those website preview images that are automatically shown when a post or message contains a link. Frames extend that format to allow for actual interactions; essentially adding buttons to those link embeds.
There are many benefits to supporting Frames, like reducing the need to leave the feed, associating the interactions with a user’s social graph, and removing some friction of interacting directly with smart contracts.
The Bad
The problem is they’re really slow to use and generally have poor UX design. Frames break most best practices when it comes to web design. A Frame can show up to four buttons and a single input field. These buttons have no visual indication of their importance, danger, or relevance to the content. They’re generally visually identical. The input fields aren’t capable of providing basic niceties that you’ve come to expect, like autocomplete, validation, and suggestions.
There’s no concept of navigation or history in Frames. You can’t simply go “back” to see a previous Frame, or refresh the current Frame unless one (or more) of the 4 buttons is dedicated to navigation. This breaks typical expectations in using web interfaces and forces the Frame to use the limited real estate for adding basic functions.
One of the biggest issues with Open Graph tags, in general, is that most apps download the entire HTML document, then parse for the tags. This can be fairly slow and is terribly inefficient. For instance, just the HTML for a single YouTube video page is close to a 1MB download. Add a few of those to a feed and their impact becomes noticeable. For this reason, apps typically cache Open Graph tags to cut down the load times. Unfortunately, caching isn’t always possible with Frames because the images are often dynamic.
Another huge limitation for Frames is the necessity to present the UI as an image. This is terrible for accessibility, an inefficient use of resources, and reminds me of the worst aspects of the Flash days.
The Solutions
For starters, Frame UIs should have built-in navigation and history stack. It shouldn’t be up to the Frame to provide basic affordances like “back” and “refresh”.
Frame buttons should allow for classification and denoting importance. Dangerous actions shouldn’t look the same as safe ones, and primary actions shouldn’t look the same as secondary or tertiary actions.
Apps that show Frames should use “streaming” to download only the header of an HTML document, rather than downloading the entire thing and then parsing. This is a basic feature supported by the standard Javascript library for making web calls (fetch
). In my limited testing it’s 5 - 10x faster.
Lastly, we need UI kits that standardize the way UIs are built in Frame images, and standards for accessibility so things like screen readers work with Frames. This would make it much easier for developers to present interfaces in a way that is familiar and expected.
How long until people realize that crypto gambling isn’t an accurate way to judge predictions?
Something needs to be done about the bots.
It’s getting out of control, and this is with the “high signal” notification filter enabled. I’ve received about a dozen more just while writing this post.
What’s worse is that there’s no way to stop this because blocking doesn’t actually prevent you from getting notifications when tagged by a blocked user. If we don’t figure this out soon, Lens will die. I’m very close to ignoring notifications altogether because the signal to noise ratio is easily 1:100.
Note: if you’re unable to comment on this post it’s because the app you’re using doesn’t properly handle the “friends of friends” setting. This is the only thing I can do to stop the bot mirrors and comments.