The fediverse, also known as the open social web that includes Mastodon, Meta’s Threads, Pixelfed, and other apps (…)
Mention Lemmy for once 😠
Meta’s Threads
LOL
We are tiny in comparison to the rest of the fediverse.
But its actually usable, pixelfed sucks, prob way more actual engagement and conversation here, pixelfed is hella ppl posting with no likes or views
I mean, discoverability is hard, sure, but add a few hashtags and you can get a lot of people to see your posts. also, mentioning a lemmy group as a user posts your post to the community.
no one does that mentioning tho, I dont want to flood communities with only my posts
If I post a picture of a pet or something, I’d mention a community.
deleted by creator
Yeah!
I asked here about that and was told there’s not enough of us here. Meh.
Funny how that works. Wonder if not mentioning it will help remedy that?
Also Lemmy: Here’s a bunch of death threats and pictures of a pig taking a shit because you said democracy was a good idea
Was the first paragraph written by the Meta marketing department?
Yeah, there’s also this:
A more recent issue came about when Pixelfed’s creator, Daniel Supernault made the details of a vulnerability public before server operators had a chance to update, which would have left the fediverse vulnerable to bad actors, she says. (Supernault has already apologized publicly for his handling of the issue that had affected private accounts.)
In the case of the Pixelfed issue, for instance, the Hachyderm Mastodon server, which has over 9,500 members, decided it needed to defederate (or disconnect from) other Pixelfed servers that hadn’t been updated in order to protect their users.
It is weird to spend almost half the words in this, pretending that something in Pixelfed that wasn’t a problem on Pixelfed’s side was. This is the weirdest “vulnerability” in the world to pick if you want to pick one to hold up extensively as an example.
Regardless whether you want to pretend that not caring about Mastodon is a valid defense when implementing software using the ActivityPub protocol, that still doesn’t change anything regarding how Dansup handled the disclosure of the effects it had.
- This is nothing to do with ActivityPub. It’s to do with Mastodon’s custom implementation of “private” posts.
- Making it extremely clear to everyone that random server software can expose Mastodon’s “private” posts is absolutely the right way to handle disclosure here. Dan didn’t even try to do that, he just fixed the bug, but if he had made a big post saying “hey this is not my fault Mastodon private posts are not private, here’s full explanation about what’s going on” I think that would have been completely fine. This is not a “vulnerability” in the traditional sense like a buffer overflow, it’s just a design flaw in Mastodon which other softwares are by convention agreeing to cater to. I think the culture of security (and the level of clue in general) in the Fediverse has wandered into territory where “let’s all pretend that these posts are secure and get mad at anyone who reveals that they are not” is widely accepted now, but that doesn’t make it right.
It has everything to do with ActivityPub since if you follow that protocol strictly you will cause this behavior. It still doesn’t change that Dansup was told that this caused Bad Things™ and yet he didn’t follow normal procedure in how you handle it.
Vulnerabilities don’t need to be buffer overflows.
/cybersec researcher
It has everything to do with ActivityPub since if you follow that protocol strictly you will cause this behavior.
Absolutely not. Which part of the spec? I linked up there to quite a thorough explanation of what the spec does and doesn’t dictate in this area, and how Mastodon chooses to behave in its implementation. What part of my explanation did I get wrong? Are they violating 5.1, 5.2, 7.1, some other part? How?
/cybersec researcher
I do not believe you. “I’m sending things out which need to be handled carefully in a protocol-nonstandard way by the recipient server software (which could be literally anything), or else my user’s private posts will be exposed. If someone talks about that situation and lets people know what’s going on, that’s irresponsible disclosure.”
If you actually are a cybersec researcher, you are bad at your job.
hahahahaha
Watch and try again ;) I post under my real name.
https://www.cve.org/CVERecord?id=CVE-2024-44754
https://www.youtube.com/watch?v=ZbKLAjPYOEg
Feel free to post less and read more.
Okay. What part of the spec did Pixelfed violate? Where in the spec is Mastodon’s implementation of private posts justified?
Maybe I’m wrong, but shouldn’t posts only be insecure if they’re propagated to the insecure instance? Is any private post visible to people on servers that the poster doesn’t have followers on?
Could Icurlthe uri of a post thats “private” and get the post’s content?Maybe I’m wrong, but shouldn’t posts only be insecure if they’re propagated to the insecure instance?
“Insecure” in this case simply means any server that doesn’t implement Mastodon’s custom handling for “private” posts. With that definition, the answer to your question is yes. It has been mentioned by Mastodon people that this is a significant problem for the ability to actually keep these private posts private in the real world. The chance of it going wrong is small (depending on your follower count) but the potential for harm is very large. I would therefore go further, and say that it’s a very bad thing that Mastodon is telling people that these posts are “private” when the mechanism which is supposed to keep them private is so unreliable.
https://github.com/mastodon/mastodon/issues/712
Is any private post visible to people on servers that the poster doesn’t have followers on?
It is not. If you’re sufficiently careful with approving your followers, making sure that each of them is on an instance that’s going to handle private posts the way you expect, then you’re probably fine.
Could I curl the uri of a post thats “private” and get the post’s content?
If it’s been federated to an insecure server then yes. If not then I think no.
Mastodon really is the internet explorer of the fediverse.
In any case, I don’t think its that bad. I would compare it to an email provider accidentially leaking messages. Still bad, but its not a reason to abandon email as a means of communication.
We should encrypt posts, like diaspora does. Like how we should pgp encrypt emails, but no one will.also, I just checked myself, a random “private” post I made isn’t accessible over AP if I curl it unauthenticated. Running
curl.exe https://calckey.world/notes/a63slz8j6l -H "Accept: application/activity+json"returns nothing, but replacing the uri with a public post does show it.
An insecure server’s copy of the post isn’t accessible over AP, only the original post’s link should return anything.
I still feel that interoperability between mastadon and Lemmy is kind of messed up. How to browse a Lemmy community through mastodon application?
You cannot use a mastodon app as a lemmy client, but you can view lemmy communities by opening them as if they are profiles. For example, open @fediverse@lemmy.world and it will show up as a user, but it will be the communitiy’s posts.
You can mention it in a post to forward the post to the community as well.
I can’t wait to find out which project has the most security holes 🔥
Any guesses?
The ones with the most amount of code lines and dependencies probably. More code = more problems.
IMO poor security is more about a lack of eyes on the code. Projects that have a single developer and a lower user-base will be pretty easy money.
…that will pay those who responsibly disclose security vulnerabilities that affect fediverse apps and services.
If it is straight to the project, then I’m all for it. Otherwise, it seems sus.
It is to the person who discovers the vulnerability. That’s fairly normal… how would giving it to someone else motivate the result they’re trying to get?
