Pixelfed leaks private posts from other Fediverse instances - fiona fokus
fokus.cool

Another dust-up with Dansup lol…

cross-posted from: https://lemmy.crimedad.work/post/903768

The author of the article characterizes their findings as a vulnerability in Pixelfed, that it was treating all follow requests as approved. An update has already been released to make Pixelfed honor that setting, but the vulnerability still exists with ActivityPub in the feature itself. It gives users a false expectation of privacy, which is not safe.

  • PhilipTheBucket@ponder.cat
    3·
    6 days ago

    Lemmy DMs can be private, if all the people who have the ability to look at them all agree not to. That’s not how it works, so Lemmy does the right thing and warns you that they are not private.

    Privacy systems that depend on broadcasting information and then requesting that everyone who isn’t supposed to receive it should not pay attention are fine, for some things, but they are not good privacy systems.

    • irelephant [he/him]🍭@lemm.eeEnglish
      2·
      15 hours ago

      The same can be said about email, which is arguably private.

      The privacy warning is because instance admins can see dms, not because random servers can.

      • PhilipTheBucket@ponder.cat
        2·
        6 days ago

        Email is not private. I think we’re running into a difference of definitions.

        Stuff that random unauthorized people can read if they want to, even if the number of people is small, is not private. To me. Other people might have different definitions, but that’s the one I am using when I say “private.”