this post was submitted on 26 Mar 2025
162 points (96.6% liked)

Fediverse

32343 readers
381 users here now

A community to talk about the Fediverse and all it's related services using ActivityPub (Mastodon, Lemmy, KBin, etc).

If you wanted to get help with moderating your own community then head over to !moderators@lemmy.world!

Rules

Learn more at these websites: Join The Fediverse Wiki, Fediverse.info, Wikipedia Page, The Federation Info (Stats), FediDB (Stats), Sub Rehab (Reddit Migration)

founded 2 years ago
MODERATORS
ruud@lemmy.world
Xylinna@lemmy.world
MrCenny@lemmy.world
TragicNotCute@lemmy.world
automodbeta@lemmy.world
woelkchen@lemmy.world
162
Pixelfed leaks private posts from other Fediverse instances - fiona fokus (fokus.cool)
submitted 1 week ago by haverholm@kbin.earth to c/fediverse@lemmy.world
60 comments fedilink hide all child comments
 

Found this via Aurynn Shaw:

When following someone on a different server on the Fediverse, the remote server decides whether you are allowed to do so. This enables features like private accounts. Due to an implementation mistake, Pixelfed ignores this and allows anyone to follow even private accounts on other servers. When a legitimate user from a Pixelfed instance follows you on your locked fediverse account, anyone on that Pixelfed instance can read your private posts. You don’t need to be a Pixelfed user to be affected.

Pixelfed admins should update to v1.12.5 ASAP, but upgrading can be a major hurdle.

Importantly, your Mastodon or GoToSocial instance isn’t handing your private posts to any random server, just because it asks. The problem only becomes apparent when you have at least one legit accepted follower from a Pixelfed server. Now that server is allowed to fetch all your private posts. And when it knows the posts, it has to decide who to show them. When you accept a follower, you not only place your trust to keep a secret on them, but also on their admin and the software they are running.

Edited to add the last block quote.

you are viewing a single comment's thread
view the rest of the comments
[–] haverholm@kbin.earth 2 points 1 week ago (2 children)

Edited to add: I got this around the wrong foot, see the reply to this. /edit

Not necessarily, as clearly stated in the linked article:

But sure enough, the toot was followers only and the person that had liked it was not following her Mastodon account. When I took a look at the other persons profile on pixelfed.social, I noticed that the instance was nevertheless claiming the account was following her.

When pixelfed assumes that an account is not locked, it immediately treats a follow attempt as completed. For the server on the other end it looks like a normal follow request. It could be rejected, and pixelfed would still be convinced that a follow relation exists.

[–] troed@fedia.io 8 points 1 week ago (1 children)

Yes, necessarily.

Importantly, your Mastodon or GoToSocial instance isn’t handing your private posts to any random server, just because it asks. The problem only becomes apparent when you have at least one legit accepted follower from a Pixelfed server

[–] haverholm@kbin.earth 4 points 1 week ago

Ah, good catch. Thanks!

[–] SkaveRat@discuss.tchncs.de 8 points 1 week ago* (last edited 1 week ago)

Abolutely necessarily.

it works like this:

  • @privateuser@mastodon.example.com has a "followers only account".
  • @someuser@pixelfed.example.com is a friend of above account, requested access and was granted. This now causes mastodon.example.com to push all messages of @privateuser to pixelfed.example.com.
  • @anotheruser@pixelfed.example.com requests access, but gets ignored. But the pixelfed instance marks the user as "follows @privateuser"
  • In the interface of @someuser, the messages are shown as expected.
  • In the interface of @anotheruser, they are also shown. Because PF basically does a database "select messages of users that the user follows", without checking if the access was ever granted.

Important to note, that this would not happen, if the messages weren't already pushed to the server due to the "allowed" user