Difference between revisions of "2025/03/27"
Jump to navigation
Jump to search
| Line 1: | Line 1: | ||
{{fmt/title|Pixelfed security bug|'''2025-03-25''' [https://fokus.cool/2025/03/25/pixelfed-vulnerability.html Pixelfed leaks private posts from other Fediverse instances]}} | {{fmt/title|Pixelfed security bug|'''2025-03-25''' [https://fokus.cool/2025/03/25/pixelfed-vulnerability.html Pixelfed leaks private posts from other Fediverse instances]}} | ||
| + | * '''09:43''' Actually, it's unclear what is the best action. Even with a "limit", our users could still accept a follow-request from them, which would open the security-hole for exploitation from the remote user's instance. On the other hand, is that likely to happen? | ||
| + | ** Also, the more extreme option -- "suspend" -- permanently deletes all followership in both directions, so I hesitate to invoke that on any instance where there is any followership between us and them... | ||
* '''09:31''' I decided that the best thing to do ''for now'' was just limit all instances that don't have a lot of remote followers, going on the theory that this will prevent ''new'' exploits of the bug and hopefully nobody has already taken advantage of it to access private accounts on ''our'' instance. (This is currently in progress.) | * '''09:31''' I decided that the best thing to do ''for now'' was just limit all instances that don't have a lot of remote followers, going on the theory that this will prevent ''new'' exploits of the bug and hopefully nobody has already taken advantage of it to access private accounts on ''our'' instance. (This is currently in progress.) | ||
==Known Affected Instances== | ==Known Affected Instances== | ||
Revision as of 13:46, 27 March 2025
Pixelfed security bug
2025-03-25 Pixelfed leaks private posts from other Fediverse instances
- 09:43 Actually, it's unclear what is the best action. Even with a "limit", our users could still accept a follow-request from them, which would open the security-hole for exploitation from the remote user's instance. On the other hand, is that likely to happen?
- Also, the more extreme option -- "suspend" -- permanently deletes all followership in both directions, so I hesitate to invoke that on any instance where there is any followership between us and them...
- 09:31 I decided that the best thing to do for now was just limit all instances that don't have a lot of remote followers, going on the theory that this will prevent new exploits of the bug and hopefully nobody has already taken advantage of it to access private accounts on our instance. (This is currently in progress.)
Known Affected Instances
via this list
| domain | #RF/#LF | action | notes |
|---|---|---|---|
| pixelfed.tokyo | 1 / 3 | 2025-03-27 limited | |
| milpamerica.org | 0 / 0 | 2025-03-27 limited | |
| luzeed.org | 0 / 0 | 2025-03-27 limited | |
| pix.anduin.net | |||
| bolha.photos | |||
| social.photo | |||
| pixelfed.eus | |||
| pix.ublog.tech | |||
| pi.dead.guru | (way out of date!) | ||
| pics.80px.com | |||
| pixel.pol.social | |||
| gpose.site | |||
| pixels.gsi.li | |||
| geekdom.pics | |||
| pixelfed.graz.social | |||
| chueok.pics | |||
| fotolibre.social | |||
| gr8.pics | |||
| pixel-food.com | |||
| crafty.social | |||
| sub-pixel.de | |||
| lgbt.earth | |||
| pixelfed.aargaunet.ch | |||
| pix.h5.si | |||
| wanderers-waypoint.com | |||
| pixelfed.drewfra.nz |
Terminology
- "#RF" = number of remote followers (i.e. follows from them to accounts here), which the UI calls "our followers there".
- "#LF" = number of local followers (i.e. follows from us to accounts there), which the UI calls "their followers here"
The UI terminology is a little ambiguous. One screen for a given domain says "their followers here" = 3 and "our followers there" = 1, but then when I go to suspend the domain it says "Followers their users would lose" = 3 "Followers our users would lose" = 1, which is the opposite of how I initially interpreted the first screen – I took "their followers here" to mean "their followers of our users", but it actually means our users following theirs.