Another dust-up with Dansup lol…
cross-posted from: https://lemmy.crimedad.work/post/903768
The author of the article characterizes their findings as a vulnerability in Pixelfed, that it was treating all follow requests as approved. An update has already been released to make Pixelfed honor that setting, but the vulnerability still exists with ActivityPub in the feature itself. It gives users a false expectation of privacy, which is not safe.
Well, I was responding to the person who said private posts weren’t possible.
AP is push based, meaning servers recieve posts, rather than servers pulling posts. When you make a post its sent to your followers inbox. If its public, anyone can see the post, it can be “boosted” into people’s timelines and it can be fetched with the url of the post. If its followers only, it will be sent to your followers inboxs, but it cannot be boosted, and the url will fail for anyone not authenticated.
The followers thing seems to be that the post was sent to pixelfed.social, but it wasn’t made private. If I have no followers on pixelfed, and I don’t let anyone on pixelfed view my posts, then pixelfed.social will have no record of my post, and thus it cannot expose it.
Consider email, a faulty, negliegent or malicious server could start publicly exposing emails, but if you don’t send to emails to that server, the server cannot expose them.