Pixelfed leaks private posts from other Fediverse instances
a year ago
- #privacy
- #fediverse
- #security
- Pixelfed had a vulnerability that allowed unauthorized access to private posts from other Fediverse instances.
- The issue stemmed from Pixelfed ignoring the 'manuallyApprovesFollowers' property, treating all accounts as not locked.
- A legitimate follower from a Pixelfed instance could expose private posts to any user on that instance.
- The vulnerability was reported responsibly, but the maintainer's response was slow and poorly communicated.
- Pixelfed's fix was bundled in a major update (v1.12.5), making it harder for admins to apply quickly.
- The incident highlights broader concerns about Pixelfed's security practices and maintainer behavior.
- The Fediverse relies on trust, and this incident underscores the need for better security and transparency.