Oh, great. #Pixelfed had a broken implementation of "follower-only" posts, _and_ fucked up the disclosure / bugfix release process.
https://fokus.cool/2025/03/25/pixelfed-vulnerability.html
Summary of the bug: If you have a protected account (on Pixelfed, Mastodon, GTS, whatever) and a Pixelfed user followed you and got approved by you, _all_ users on that instance were now able to see your followers-only posts, not just the one you approved.
#Fediverse #ActivityPub #security #fail
scy
npub15p…khvce
2025-03-25 22:28:33 UTC
Author Public Key
npub15pc5vt5kqgr60g389gl4n5zzuktz8wezz76klym9ew3puy3p8clqckhvceSeen on
wss://relay.momostr.pinkPublished at
2025-03-25 22:28:33 UTCEvent JSON
{
"id": "56f0298582ffbab2cbdeefa9ca778faff7b7cfb4c9d7e415d566e5c193ab7956",
"pubkey": "a071462e960207a7a2272a3f59d042e59623bb2217b56f9365cba21e12213e3e",
"created_at": 1742941713,
"kind": 1,
"tags": [
[
"t",
"fediverse"
],
[
"t",
"security"
],
[
"t",
"activitypub"
],
[
"t",
"pixelfed"
],
[
"t",
"fail"
],
[
"proxy",
"https://chaos.social/@scy/114225428160011112",
"web"
],
[
"proxy",
"https://chaos.social/users/scy/statuses/114225428160011112",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://chaos.social/users/scy/statuses/114225428160011112",
"pink.momostr"
],
[
"-"
]
],
"content": "Oh, great. #Pixelfed had a broken implementation of \"follower-only\" posts, _and_ fucked up the disclosure / bugfix release process.\n\nhttps://fokus.cool/2025/03/25/pixelfed-vulnerability.html\n\nSummary of the bug: If you have a protected account (on Pixelfed, Mastodon, GTS, whatever) and a Pixelfed user followed you and got approved by you, _all_ users on that instance were now able to see your followers-only posts, not just the one you approved.\n\n#Fediverse #ActivityPub #security #fail",
"sig": "ee97ed95680f05e12899d6313115e16b86cfc044ab0f28a4eee50313c5d6033cd406730783c7de68676a37afa738421d44dc98334143e7b9b02186a32be3d4d9"
}