Pixelfed leaks private posts from other Fediverse instances - fiona fokus (fokus.cool)

submitted 1 month ago by haverholm@kbin.earth to c/fediverse@lemmy.world

20 comments fedilink hide all child comments

When following someone on a different server on the Fediverse, the remote server decides whether you are allowed to do so. This enables features like private accounts. Due to an implementation mistake, Pixelfed ignores this and allows anyone to follow even private accounts on other servers. When a legitimate user from a Pixelfed instance follows you on your locked fediverse account, anyone on that Pixelfed instance can read your private posts. You don’t need to be a Pixelfed user to be affected.

Pixelfed admins should update to v1.12.5 ASAP, but upgrading can be a major hurdle.

Importantly, your Mastodon or GoToSocial instance isn’t handing your private posts to any random server, just because it asks. The problem only becomes apparent when you have at least one legit accepted follower from a Pixelfed server. Now that server is allowed to fetch all your private posts. And when it knows the posts, it has to decide who to show them. When you accept a follower, you not only place your trust to keep a secret on them, but also on their admin and the software they are running.

Edited to add the last block quote.

top 20 comments

sorted by: hot top controversial new old

[-] LambdaRX@sh.itjust.works 52 points 1 month ago

I wouldn't call it Pixelfed's vulnerablility, but a reminder that nothing on Fediverse is private. Even if Pixelfed is fixed, someone can create rogue instance to read other's private posts.

[-] haverholm@kbin.earth 18 points 1 month ago

If I understand it correctly, it's kind of both. Sounds like Pixelfed didn't follow best practice setting privacy guardrails in follow request approval, and it exacerbates the inherent lack of privacy on the fediverse.

You're right of course, anyone (with the coding chops) could've intentionally set up an instance that does the same for malicious purposes. That should be a wake-up call for anyone who thinks ActivityPub is a great sexting medium.

[-] melmi@lemmy.blahaj.zone 14 points 1 month ago* (last edited 1 month ago)

I kinda of lean towards the idea of "private accounts" being a bad idea as a result, just because it creates a false sense of security. But I'm not in the target demographic so idk

[-] troed@fedia.io 1 points 1 month ago

The private account would still need to accept a follower from that rogue instance.

[-] haverholm@kbin.earth 3 points 1 month ago

Edited to add: I got this around the wrong foot, see the reply to this. /edit

Not necessarily, as clearly stated in the linked article:

But sure enough, the toot was followers only and the person that had liked it was not following her Mastodon account. When I took a look at the other persons profile on pixelfed.social, I noticed that the instance was nevertheless claiming the account was following her.

When pixelfed assumes that an account is not locked, it immediately treats a follow attempt as completed. For the server on the other end it looks like a normal follow request. It could be rejected, and pixelfed would still be convinced that a follow relation exists.

[-] troed@fedia.io 5 points 1 month ago

Yes, necessarily.

Importantly, your Mastodon or GoToSocial instance isn’t handing your private posts to any random server, just because it asks. The problem only becomes apparent when you have at least one legit accepted follower from a Pixelfed server

[-] haverholm@kbin.earth 3 points 1 month ago

Ah, good catch. Thanks!

[-] SkaveRat@discuss.tchncs.de 4 points 1 month ago* (last edited 1 month ago)

Abolutely necessarily.

it works like this:

@privateuser@mastodon.example.com has a "followers only account".
@someuser@pixelfed.example.com is a friend of above account, requested access and was granted. This now causes mastodon.example.com to push all messages of @privateuser to pixelfed.example.com.
@anotheruser@pixelfed.example.com requests access, but gets ignored. But the pixelfed instance marks the user as "follows @privateuser"
In the interface of @someuser, the messages are shown as expected.
In the interface of @anotheruser, they are also shown. Because PF basically does a database "select messages of users that the user follows", without checking if the access was ever granted.

Important to note, that this would not happen, if the messages weren't already pushed to the server due to the "allowed" user

[-] LambdaRX@sh.itjust.works 1 points 1 month ago

Yes, but account/instance would need to actively research which instances are rogue, and beware of them. It could be solved by creating tool which would automatically detect this ~~vulnerability~~ feature.

[-] queermunist@lemmy.ml 1 points 1 month ago

Wait, are new instances federated by default?

I thought admins had to choose who they were federated with.

[-] RobotToaster@mander.xyz 11 points 1 month ago

There's easily over a thousand fediverse instances at this point, having to whitelist them all would be impractical.

[-] queermunist@lemmy.ml 2 points 1 month ago

Okay but this demonstrates why defaulting to federation is a bad idea, doesn't it?

[-] melmi@lemmy.blahaj.zone 9 points 1 month ago* (last edited 1 month ago)

The issue is that if you don't default to federation, it becomes essentially impossible for new instances to join the fediverse. A potential new instance would have to go around to every single existing instance and ask to be allowlisted, which is onerous for both the new instances and for the large server admins who would be getting tons of requests. It would also essentially kill small-scale selfhosting as a result.

[-] RobotToaster@mander.xyz 2 points 1 month ago

It demonstrates that nothing on the fediverse is private, and bad hacks that pretend otherwise are a terrible idea.

[-] Irelephant@lemm.ee -1 points 1 month ago

private posts are only sent to instances that either your followers or the list of people you want to see the post are on. If they all co-operate, you will be fine.