fiona

-- Anzeige/Ad -- [X]

mastodon

pixelfed instance admins: Please update pixelfed to v0.12.5 asap. The version contains fixes for serious security vulnerabilities that I reported.
I will disclose further details about the vulnerabilities in about 24 hours.

Als Antwort auf fiona

mastodon

fiona

Als Antwort auf fiona • 1 Woche her • •

Pixelfed before v0.12.5 has a vulnerability where it could leak your private posts, regardless of whether you are a Pixelfed user or not.
Admins should update ASAP.

When following someone from a different server on the Fediverse, the remote server decides whether you are allowed to do that. This enables features like locked accounts. Due to an implementation mistake, Pixelfed ignores this and allows anyone to follow even private accounts on other servers. If a legitimate user from a Pixelfed instance follows you on your locked account, anyone on that Pixelfed instance can read your private posts.

I wrote a blog post about how I found the vulnerability, how disclosure coordination went and general ramblings about Fediverse safety:
fokus.cool/2025/03/25/pixelfed…

#pixelfed #fediverse #activitypub

Pixelfed leaks private posts from other Fediverse instances - fiona fokus

^fokus.cool

Dieser Beitrag wurde bearbeitet. (1 Woche her)

Diese Webseite verwendet Cookies. Durch die weitere Benutzung der Webseite stimmst du dieser Verwendung zu. https://inne.city/tos

Verbinden Sie Ihr Profil hier wahlweise auch mit Twitter, BlueSky, Wordpress, Blogger und anderen Plattformen...

fiona

fiona

fiona 1 Woche her • •

fiona

Pixelfed leaks private posts from other Fediverse instances - fiona fokus

fiona
1 Woche her • •