this post was submitted on 26 Mar 2025
162 points (96.6% liked)

Fediverse

32343 readers
381 users here now

A community to talk about the Fediverse and all it's related services using ActivityPub (Mastodon, Lemmy, KBin, etc).

If you wanted to get help with moderating your own community then head over to !moderators@lemmy.world!

Rules

Learn more at these websites: Join The Fediverse Wiki, Fediverse.info, Wikipedia Page, The Federation Info (Stats), FediDB (Stats), Sub Rehab (Reddit Migration)

founded 2 years ago
MODERATORS
ruud@lemmy.world
Xylinna@lemmy.world
MrCenny@lemmy.world
TragicNotCute@lemmy.world
automodbeta@lemmy.world
woelkchen@lemmy.world
162
Pixelfed leaks private posts from other Fediverse instances - fiona fokus (fokus.cool)
submitted 1 week ago by haverholm@kbin.earth to c/fediverse@lemmy.world
60 comments fedilink hide all child comments
 

Found this via Aurynn Shaw:

When following someone on a different server on the Fediverse, the remote server decides whether you are allowed to do so. This enables features like private accounts. Due to an implementation mistake, Pixelfed ignores this and allows anyone to follow even private accounts on other servers. When a legitimate user from a Pixelfed instance follows you on your locked fediverse account, anyone on that Pixelfed instance can read your private posts. You don’t need to be a Pixelfed user to be affected.

Pixelfed admins should update to v1.12.5 ASAP, but upgrading can be a major hurdle.

Importantly, your Mastodon or GoToSocial instance isn’t handing your private posts to any random server, just because it asks. The problem only becomes apparent when you have at least one legit accepted follower from a Pixelfed server. Now that server is allowed to fetch all your private posts. And when it knows the posts, it has to decide who to show them. When you accept a follower, you not only place your trust to keep a secret on them, but also on their admin and the software they are running.

Edited to add the last block quote.

you are viewing a single comment's thread
view the rest of the comments
[–] iltg@sh.itjust.works 1 points 6 days ago (1 children)

receiving posts is trivial but you need to convince others to send it to you. i can't just set up a malicious instance and get your private posts, i need to convince you to send them to me, and once convinced i can use any normal software to access it, no malicious custom thing needed. literally just follow me from a mastodon.social throwaway and you get my followers-only posts. content addressing is great on fedi and your instance sends your private posts exactly to who you want and noone else. pixelfed receives a private posts and shows it to third parties, its not the system's fault.

fedi is not great for sexting because your pics just sit in clear on your server admin's machine and all dms are easily searchable on db, it's a whole other issue

[–] fmstrat@lemmy.nowsci.com 1 points 5 days ago (1 children)

The whole point of this issue with Pixelfed is that none of what you describe is required.

Find any follower of a Fediverse account of any kind (Target Account) that's on a Pixelfed server. Go to that Pixelfed server, view "private" posts from Target Account there.

No need to set up a server, or get sent anything. Granted, even without this flaw ActivityPub is not the way to go for anything private.

[–] PhilipTheBucket@ponder.cat 1 points 5 days ago

even without this flaw ActivityPub is not the way to go for anything private.

This is the real issue. The whole story about how his partner's posts were getting shown to random people should have ended with both of them realizing that these posts were in no reliable way "private," and to stop putting them up with the assumption that they would be. Not with them yelling at Pixelfed for the way it works, and then yelling at Pixelfed again for starting to honor these fake privacy settings.