Another dust-up with Dansup lol…

cross-posted from: https://lemmy.crimedad.work/post/903768

The author of the article characterizes their findings as a vulnerability in Pixelfed, that it was treating all follow requests as approved. An update has already been released to make Pixelfed honor that setting, but the vulnerability still exists with ActivityPub in the feature itself. It gives users a false expectation of privacy, which is not safe.

  • PhilipTheBucket@ponder.cat
    link
    fedilink
    arrow-up
    3
    ·
    6 days ago

    While we’re on the subject, all your votes on Lemmy are public, and Lemmy takes the same approach of “every software needs to agree to keep it a secret, and the ones that do not, don’t count, and the information is private because I say it’s supposed to be even if in practice it is not.” This should be more widely known.