2025/03/27

From Mew
Jump to navigation Jump to search

Pixelfed security bug
2025-03-25 Pixelfed leaks private posts from other Fediverse instances

  • 09:43 Actually, it's unclear what is the best action. Even with a "limit", our users could still accept a follow-request from them, which would open the security-hole for exploitation from the remote user's instance. On the other hand, is that likely to happen?
    • Also, the more extreme option -- "suspend" -- permanently deletes all followership in both directions, so I hesitate to invoke that on any instance where there is any followership between us and them...
  • 09:31 I decided that the best thing to do for now was just limit all instances that don't have a lot of remote followers, going on the theory that this will prevent new exploits of the bug and hopefully nobody has already taken advantage of it to access private accounts on our instance. (This is currently in progress.)

Known Affected Instances

via this list

domain #LF/#RF action notes
pixelfed.tokyo 3/1 2025-03-27 limited
milpamerica.org 0/0 2025-03-27 suspended
luzeed.org 0/0 2025-03-27 suspended
pix.anduin.net 0/0 2025-03-27 suspended
bolha.photos 0/0 2025-03-27 suspended
social.photo 0/1 2025-03-27 limited
pixelfed.eus 1/0 2025-03-27 limited
pix.ublog.tech 0/0 2025-03-27 suspended
pi.dead.guru n/a n/a (way out of date!) not found
pics.80px.com 0/0 2025-03-27 suspended
pixel.pol.social 0/0 2025-03-27 suspended
gpose.site 0/0 2025-03-27 suspended
pixels.gsi.li 0/0 2025-03-27 suspended
geekdom.pics 0/0 2025-03-27 suspended
pixelfed.graz.social 0/0 2025-03-27 suspended
chueok.pics 0/0 2025-03-27 suspended
fotolibre.social 0/0 2025-03-27 suspended
gr8.pics 0/0 2025-03-27 suspended
pixel-food.com 0/0 2025-03-27 suspended
crafty.social 0/0 2025-03-27 suspended
sub-pixel.de 0/0 2025-03-27 suspended
lgbt.earth 0/0 2025-03-27 suspended
pixelfed.aargaunet.ch 0/0 2025-03-27 suspended
pix.h5.si n/a n/a not found
wanderers-waypoint.com 0/0 2025-03-27 suspended
pixelfed.drewfra.nz 0/1 2025-03-27 limited

Terminology

  • "#LF" = number of local followers (i.e. follows from us to accounts there), which the UI calls "their followers here"
  • "#RF" = number of remote followers (i.e. follows from them to accounts here), which the UI calls "our followers there" -- this is what opens the security hole

The UI terminology is a little ambiguous. One screen for a given domain says "their followers here" = 3 and "our followers there" = 1, but then when I go to suspend the domain it says "Followers their users would lose" = 3 "Followers our users would lose" = 1, which is the opposite of how I initially interpreted the first screen – I took "their followers here" to mean "their followers of our users", but it actually means our users following theirs.