haverholm

Found this via Aurynn Shaw:

When following someone on a different server on the Fediverse, the remote server decides whether you are allowed to do so. This enables features like private accounts. Due to an implementation mistake, Pixelfed ignores this and allows anyone to follow even private accounts on other servers. When a legitimate user from a Pixelfed instance follows you on your locked fediverse account, anyone on that Pixelfed instance can read your private posts. You don’t need to be a Pixelfed user to be affected.

Pixelfed admins should update to v1.12.5 ASAP, but upgrading can be a major hurdle.

1+
volkris
Follow

@haverholm No you have it backwards.

This proves that the remote server does not decide whether you are allowed to do so.

Yes, this is a questionable decision of the engineering that underlies the Fediverse. This isn't a problem of Pixelated: If you don't like this behavior, then blame the authors of ActivityPub and maybe find a different platform that behaves the way you would prefer.

This is just how this platform was designed to operate, for better or worse. I think for worse, but here we are.

· · 0 · 0 · 0
Sign in to participate in the conversation
Qoto Mastodon

QOTO: Question Others to Teach Ourselves
An inclusive, Academic Freedom, instance
All cultures welcome.
Hate speech and harassment strictly forbidden.

Trending now

Resources

Developers

What is Mastodon?

qoto.org

More…

v3.5.19-qoto · Privacy policy