When following someone on a different server on the Fediverse, the remote server decides whether you are allowed to do so. This enables features like private accounts. Due to an implementation mistake, Pixelfed ignores this and allows anyone to follow even private accounts on other servers. When a legitimate user from a Pixelfed instance follows you on your locked fediverse account, anyone on that Pixelfed instance can read your private posts. You don’t need to be a Pixelfed user to be affected.

Pixelfed admins should update to v1.12.5 ASAP, but upgrading can be a major hurdle.

Importantly, your Mastodon or GoToSocial instance isn’t handing your private posts to any random server, just because it asks. The problem only becomes apparent when you have at least one legit accepted follower from a Pixelfed server. Now that server is allowed to fetch all your private posts. And when it knows the posts, it has to decide who to show them. When you accept a follower, you not only place your trust to keep a secret on them, but also on their admin and the software they are running.

Edited to add the last block quote.

you are viewing a single comment's thread
view the rest of the comments

[–] PhilipTheBucket@ponder.cat 3 points 2 months ago (10 children)

private posts are only sent to instances

Well, obviously they’re sent to some other ones, or else this wouldn’t be an issue.

This is a design flaw in the protocol. If your instance is going to send your private posts to other people, they’re not private. The authors need to fix your instance software, not demand that every other software in existence needs to “cooperate” and find out whether they’re “private” and not show them to the users if they are.

[–] Irelephant@lemm.ee 3 points 2 months ago (8 children)

No, Imagine this

There is @bob@pixelfed.example their is their friend, @joe@mastodon.example. bob also follows @jane@gotosocial.example

If bob makes a private post (ie, followers only), only the instances of people he follows will recieve the post. The instance will see that its supposed to be private, and not show it to everyone.

This may, gotosocial.example, mastodon.example and pixelfed.example have the post, but don't show it. misskey.example won't have the post.

Then, if gotosocial.example (hypothetically) had a bug where it ignored posts visibility settings, those posts would be shown, since the post is sent to that server. If misskey.example had a similar bug, nothing would happen as the post wouldn't have reached that server anyway.

[–] PhilipTheBucket@ponder.cat 3 points 2 months ago (7 children)

Yeah, so there's no real way to implement private posts on Mastodon.

I mean, it is fine if you want to implement sort of "best effort" semi-privacy and make it clear to everyone involved that that's what it is, but for any reasonable definition of "private," the requirement that it not get shown to people outside the list of people allowed to see it needs to be enforced better than this. There will always be server software that doesn't "cooperate." That's just the nature of open distributed systems. If you're making assurances to your users that their posts will be private, you need to be the one enforcing that, not everyone else on the network and the protocol needs to be set up with the ability for that to happen (which ActivityPub is not, which means it's misleading that someone told users that they can have "private" posts via this hack.)

[–] iltg@sh.itjust.works 1 points 2 months ago* (last edited 2 months ago) (1 children)

email works the same way. it's impossible to implement private emails? if you cc your email to im.going.to@leak.it and it leaks, would it be fair to complain about the whole email system?

e: should have read deeper first its already been said

[–] PhilipTheBucket@ponder.cat 2 points 2 months ago

https://discuss.privacyguides.net/t/email-isnt-private/20662

load more comments (5 replies)

load more comments (6 replies)