Fediverse

34717 readers

251 users here now

A community to talk about the Fediverse and all it's related services using ActivityPub (Mastodon, Lemmy, KBin, etc).

If you wanted to get help with moderating your own community then head over to [email protected]!

Rules

Posts must be on topic.
Be respectful of others.
Cite the sources used for graphs and other statistics.
Follow the general Lemmy.world rules.

Learn more at these websites: Join The Fediverse Wiki, Fediverse.info, Wikipedia Page, The Federation Info (Stats), FediDB (Stats), Sub Rehab (Reddit Migration)

founded 2 years ago

MODERATORS

[email protected]

163

Pixelfed leaks private posts from other Fediverse instances - fiona fokus (fokus.cool)

submitted 2 months ago by [email protected] to c/[email protected]

60 comments fedilink hide all child comments

Found this via Aurynn Shaw:

When following someone on a different server on the Fediverse, the remote server decides whether you are allowed to do so. This enables features like private accounts. Due to an implementation mistake, Pixelfed ignores this and allows anyone to follow even private accounts on other servers. When a legitimate user from a Pixelfed instance follows you on your locked fediverse account, anyone on that Pixelfed instance can read your private posts. You don’t need to be a Pixelfed user to be affected.

Pixelfed admins should update to v1.12.5 ASAP, but upgrading can be a major hurdle.

Importantly, your Mastodon or GoToSocial instance isn’t handing your private posts to any random server, just because it asks. The problem only becomes apparent when you have at least one legit accepted follower from a Pixelfed server. Now that server is allowed to fetch all your private posts. And when it knows the posts, it has to decide who to show them. When you accept a follower, you not only place your trust to keep a secret on them, but also on their admin and the software they are running.

Edited to add the last block quote.

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] -1 points 2 months ago (5 children)

periodic reminder to not touch dansup software and to move away from pixelfed and loops

dansup is not competent and quite problematic and it's not even over

developers with less funding (even 0) contributed way more to fedi, they're just less vocal

dansup is all bark no bite, stop falling for it

[–] [email protected] 3 points 2 months ago (1 children)

It's a failure on the part of mastodon. I don't really care about whatever drama dansup is embroiled in. Mastodon shouldn't imply a post is only readable by followers when it's just a public post that doesn't show by default in their frontend.

[–] [email protected] 1 points 2 months ago

how is it a failure of mastodon that pixelfed doesn't respect audience targeting? it's not like it's something that mastodon made up, this isn't about unlisted/public

load more comments (3 replies)