When following someone on a different server on the Fediverse, the remote server decides whether you are allowed to do so. This enables features like private accounts. Due to an implementation mistake, Pixelfed ignores this and allows anyone to follow even private accounts on other servers. When a legitimate user from a Pixelfed instance follows you on your locked fediverse account, anyone on that Pixelfed instance can read your private posts. You don’t need to be a Pixelfed user to be affected.

Pixelfed admins should update to v1.12.5 ASAP, but upgrading can be a major hurdle.

Importantly, your Mastodon or GoToSocial instance isn’t handing your private posts to any random server, just because it asks. The problem only becomes apparent when you have at least one legit accepted follower from a Pixelfed server. Now that server is allowed to fetch all your private posts. And when it knows the posts, it has to decide who to show them. When you accept a follower, you not only place your trust to keep a secret on them, but also on their admin and the software they are running.

Edited to add the last block quote.

top 50 comments

sorted by: hot top controversial new old

[–] LambdaRX@sh.itjust.works 126 points 6 days ago (23 children)

I wouldn't call it Pixelfed's vulnerablility, but a reminder that nothing on Fediverse is private. Even if Pixelfed is fixed, someone can create rogue instance to read other's private posts.

[–] haverholm@kbin.earth 39 points 6 days ago (2 children)

If I understand it correctly, it's kind of both. Sounds like Pixelfed didn't follow best practice setting privacy guardrails in follow request approval, and it exacerbates the inherent lack of privacy on the fediverse.

You're right of course, anyone (with the coding chops) could've intentionally set up an instance that does the same for malicious purposes. That should be a wake-up call for anyone who thinks ActivityPub is a great sexting medium.

[–] unexposedhazard@discuss.tchncs.de 3 points 6 days ago

I dont know about other fedi services, but lemmy tells you at message composition, that DMs are not safe/private. If pixelfed doesnt do this, then that is really the issue.

[–] iltg@sh.itjust.works 1 points 5 days ago (1 children)

receiving posts is trivial but you need to convince others to send it to you. i can't just set up a malicious instance and get your private posts, i need to convince you to send them to me, and once convinced i can use any normal software to access it, no malicious custom thing needed. literally just follow me from a mastodon.social throwaway and you get my followers-only posts. content addressing is great on fedi and your instance sends your private posts exactly to who you want and noone else. pixelfed receives a private posts and shows it to third parties, its not the system's fault.

fedi is not great for sexting because your pics just sit in clear on your server admin's machine and all dms are easily searchable on db, it's a whole other issue

[–] fmstrat@lemmy.nowsci.com 1 points 4 days ago (1 children)

The whole point of this issue with Pixelfed is that none of what you describe is required.

Find any follower of a Fediverse account of any kind (Target Account) that's on a Pixelfed server. Go to that Pixelfed server, view "private" posts from Target Account there.

No need to set up a server, or get sent anything. Granted, even without this flaw ActivityPub is not the way to go for anything private.

load more comments (1 replies)

[–] melmi@lemmy.blahaj.zone 32 points 6 days ago* (last edited 6 days ago)

I kinda of lean towards the idea of "private accounts" being a bad idea as a result, just because it creates a false sense of security. But I'm not in the target demographic so idk

[–] Ulrich@feddit.org 8 points 6 days ago

Yeah this just sounds like one of the drawbacks of a federated system. In order for people on remote servers to be able to see your "private" posts, your local server has to feed that info to them and trust them to handle it appropriately.

[–] queermunist@lemmy.ml 4 points 6 days ago (1 children)

Wait, are new instances federated by default?

I thought admins had to choose who they were federated with.

[–] RobotToaster@mander.xyz 17 points 6 days ago (1 children)

There's easily over a thousand fediverse instances at this point, having to whitelist them all would be impractical.

[–] queermunist@lemmy.ml 4 points 6 days ago (5 children)

Okay but this demonstrates why defaulting to federation is a bad idea, doesn't it?

[–] melmi@lemmy.blahaj.zone 18 points 6 days ago* (last edited 6 days ago)

The issue is that if you don't default to federation, it becomes essentially impossible for new instances to join the fediverse. A potential new instance would have to go around to every single existing instance and ask to be allowlisted, which is onerous for both the new instances and for the large server admins who would be getting tons of requests. It would also essentially kill small-scale selfhosting as a result.

[–] lambalicious@lemmy.sdf.org 9 points 6 days ago

The entire point of the fediverse is to federate. Not federating by default kills discoverability and the potential for discoverability among other things

[–] RobotToaster@mander.xyz 9 points 6 days ago

It demonstrates that nothing on the fediverse is private, and bad hacks that pretend otherwise are a terrible idea.

[–] Microw@lemm.ee 6 points 6 days ago

Imo it demonstrates that for certain threat models the fediverse simply doesn't have the 100% secure answers.

load more comments (1 replies)

[–] troed@fedia.io 2 points 6 days ago (2 children)

The private account would still need to accept a follower from that rogue instance.

[–] LambdaRX@sh.itjust.works 3 points 6 days ago (1 children)

Yes, but account/instance would need to actively research which instances are rogue, and beware of them. It could be solved by creating tool which would automatically detect this ~~vulnerability~~ feature.

[–] TORFdot0@lemmy.world 2 points 6 days ago

If you have a private account, why would you accept a follow from a user on a rogue instance?

I guess you would need to trust your friend to vet whatever instance they join. And you’d have to vet that you aren’t getting catfished by a threat actor using a friends identity but those are all problems regardless of whether that’s fixed since a malicious admin would have access to your posts so your friend can subscribe to them in the first place, whether this is fixed or not

[–] haverholm@kbin.earth 2 points 6 days ago (2 children)

Edited to add: I got this around the wrong foot, see the reply to this. /edit

Not necessarily, as clearly stated in the linked article:

But sure enough, the toot was followers only and the person that had liked it was not following her Mastodon account. When I took a look at the other persons profile on pixelfed.social, I noticed that the instance was nevertheless claiming the account was following her.

When pixelfed assumes that an account is not locked, it immediately treats a follow attempt as completed. For the server on the other end it looks like a normal follow request. It could be rejected, and pixelfed would still be convinced that a follow relation exists.

[–] SkaveRat@discuss.tchncs.de 8 points 6 days ago* (last edited 6 days ago)

Abolutely necessarily.

it works like this:

@privateuser@mastodon.example.com has a "followers only account".
@someuser@pixelfed.example.com is a friend of above account, requested access and was granted. This now causes mastodon.example.com to push all messages of @privateuser to pixelfed.example.com.
@anotheruser@pixelfed.example.com requests access, but gets ignored. But the pixelfed instance marks the user as "follows @privateuser"
In the interface of @someuser, the messages are shown as expected.
In the interface of @anotheruser, they are also shown. Because PF basically does a database "select messages of users that the user follows", without checking if the access was ever granted.

Important to note, that this would not happen, if the messages weren't already pushed to the server due to the "allowed" user

[–] troed@fedia.io 8 points 6 days ago (1 children)

Yes, necessarily.

Importantly, your Mastodon or GoToSocial instance isn’t handing your private posts to any random server, just because it asks. The problem only becomes apparent when you have at least one legit accepted follower from a Pixelfed server

[–] haverholm@kbin.earth 4 points 6 days ago

Ah, good catch. Thanks!

load more comments (18 replies)

[–] SharkAttak@kbin.melroy.org 18 points 6 days ago (1 children)

Some more US war plans?

[–] haverholm@kbin.earth 7 points 6 days ago

Whut. I mean, probably, but not in this thread?

[–] BlueEther@no.lastname.nz 11 points 6 days ago (1 children)

well that's not good

[–] haverholm@kbin.earth 12 points 6 days ago

Nope. It looks like crash testing security in production, or "fuck around and find out" with other people's privacy.

[–] RaoulDook@lemmy.world 10 points 6 days ago (2 children)

I didn't even know "private" posts were a thing on the fediverse but now I guess I know to watch out for that. Maybe I'll post some privates after losing about 30 lbs

[–] captain_aggravated@sh.itjust.works 4 points 5 days ago

does it only effect privates? what about officers, like, say, captains?

[–] Irelephant@lemm.ee 4 points 6 days ago

Its like email, if a server decided that it would expose everyones emails, everyones emails are exposed.

[–] PhilipTheBucket@ponder.cat 9 points 4 days ago (5 children)

Give it a rest. A fork of Mastodon created a new abstraction for "private posts" and started sending to instances some posts that were marked in a new way as "private," and now they're trying to blame Pixelfed for not adopting their homemade standard for what posts their servers are sending out to everyone that they're not supposed to show, and what ones they are supposed to show. And, Pixelfed fixed it once they became aware of the issue.

It's fixed in 1.12.5. Why is this not titled "Mastodon instances claim to their users to offer 'private' posts but send them out exactly like normal posts, get surprised when software that hasn't magically adopted their new standard is showing them to people"?

[–] manicdave@feddit.uk 2 points 4 days ago (1 children)

Honestly pixelfed should have just not fixed it. It's a fediverse problem that can be fixed and mastodon is just misleading people.

Platforms should either make it clear that it means just that the post isn't advertised by default on all platforms but is always accessible to anyone that wants it or actually implement e2e encryption.

[–] PhilipTheBucket@ponder.cat 3 points 4 days ago

I'm not sure I would go that far. A lot of "trust and safety" type things are like this, just soft boundaries to try to shape the types of interactions people are going to get themselves into to be a little more on the pleasant side. There's nothing wrong with Pixelfed trying to show some honor to the same advisory boundary. The real problem comes into it when projects like Mastodon start giving people the impression that "private" posts that are federated out are going to be able to stay private. As long as the user expectation is clear that it's just an advisory setting that will tweak the algorithms for showing the post in non-assurable ways, it is fine.

load more comments (4 replies)

load more comments