this post was submitted on 26 Mar 2025
162 points (96.6% liked)

Fediverse

34956 readers
509 users here now

A community to talk about the Fediverse and all it's related services using ActivityPub (Mastodon, Lemmy, KBin, etc).

If you wanted to get help with moderating your own community then head over to !moderators@lemmy.world!

Rules

Learn more at these websites: Join The Fediverse Wiki, Fediverse.info, Wikipedia Page, The Federation Info (Stats), FediDB (Stats), Sub Rehab (Reddit Migration)

founded 2 years ago
MODERATORS
ruud@lemmy.world
Xylinna@lemmy.world
MrCenny@lemmy.world
TragicNotCute@lemmy.world
automodbeta@lemmy.world
woelkchen@lemmy.world
162
Pixelfed leaks private posts from other Fediverse instances - fiona fokus (fokus.cool)
submitted 3 months ago by haverholm@kbin.earth to c/fediverse@lemmy.world
60 comments fedilink hide all child comments
 

Found this via Aurynn Shaw:

When following someone on a different server on the Fediverse, the remote server decides whether you are allowed to do so. This enables features like private accounts. Due to an implementation mistake, Pixelfed ignores this and allows anyone to follow even private accounts on other servers. When a legitimate user from a Pixelfed instance follows you on your locked fediverse account, anyone on that Pixelfed instance can read your private posts. You don’t need to be a Pixelfed user to be affected.

Pixelfed admins should update to v1.12.5 ASAP, but upgrading can be a major hurdle.

Importantly, your Mastodon or GoToSocial instance isn’t handing your private posts to any random server, just because it asks. The problem only becomes apparent when you have at least one legit accepted follower from a Pixelfed server. Now that server is allowed to fetch all your private posts. And when it knows the posts, it has to decide who to show them. When you accept a follower, you not only place your trust to keep a secret on them, but also on their admin and the software they are running.

Edited to add the last block quote.

you are viewing a single comment's thread
view the rest of the comments
[–] LambdaRX@sh.itjust.works 126 points 3 months ago (40 children)

I wouldn't call it Pixelfed's vulnerablility, but a reminder that nothing on Fediverse is private. Even if Pixelfed is fixed, someone can create rogue instance to read other's private posts.

[–] Irelephant@lemm.ee 1 points 3 months ago (15 children)

private posts are only sent to instances that either your followers or the list of people you want to see the post are on. If they all co-operate, you will be fine.

[–] PhilipTheBucket@ponder.cat 3 points 3 months ago (10 children)

private posts are only sent to instances

Well, obviously they’re sent to some other ones, or else this wouldn’t be an issue.

This is a design flaw in the protocol. If your instance is going to send your private posts to other people, they’re not private. The authors need to fix your instance software, not demand that every other software in existence needs to “cooperate” and find out whether they’re “private” and not show them to the users if they are.

[–] iltg@sh.itjust.works 1 points 3 months ago

this is wrong, you're assuming incorrectly. private posts get sent to only intended recipients. pixelfed allows other recipients on the same server to read that. it's not your instance software, it's pixelfed, please dont spread misinformation based on uninformed assumptions

load more comments (9 replies)
load more comments (13 replies)
load more comments (37 replies)