A Misskey instance owner noticed a potential attacking program. They implemented an invite system for registration, thus they disabled the original built-in API. Then the owner noticed an abnormal pattern in Cloudflare log, where someone:

1. fetch /api/notes/featured to get trending posts
2. get those people's profile image (whose toot was listed in step 1's response)
3. invoke the register API 5 times in a roll

Those attackers share the same pattern across different IPs. And they noticed that they have some new users with random names and lacking proper usage patterns, and might be registered by those programs.

@freemo Although that attack is against MissKey, do we have a similar problem? Just want to let you know :)