Difference between revisions of "2025/03/27"
Jump to navigation
Jump to search
| (4 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
{{fmt/title|Pixelfed security bug|'''2025-03-25''' [https://fokus.cool/2025/03/25/pixelfed-vulnerability.html Pixelfed leaks private posts from other Fediverse instances]}} | {{fmt/title|Pixelfed security bug|'''2025-03-25''' [https://fokus.cool/2025/03/25/pixelfed-vulnerability.html Pixelfed leaks private posts from other Fediverse instances]}} | ||
| + | * '''09:43''' Actually, it's unclear what is the best action. Even with a "limit", our users could still accept a follow-request from them, which would open the security-hole for exploitation from the remote user's instance. On the other hand, is that likely to happen? | ||
| + | ** Also, the more extreme option -- "suspend" -- permanently deletes all followership in both directions, so I hesitate to invoke that on any instance where there is any followership between us and them... | ||
* '''09:31''' I decided that the best thing to do ''for now'' was just limit all instances that don't have a lot of remote followers, going on the theory that this will prevent ''new'' exploits of the bug and hopefully nobody has already taken advantage of it to access private accounts on ''our'' instance. (This is currently in progress.) | * '''09:31''' I decided that the best thing to do ''for now'' was just limit all instances that don't have a lot of remote followers, going on the theory that this will prevent ''new'' exploits of the bug and hopefully nobody has already taken advantage of it to access private accounts on ''our'' instance. (This is currently in progress.) | ||
==Known Affected Instances== | ==Known Affected Instances== | ||
''via [https://toot.cat/@EveHasWords/114234111370560450 this list]'' | ''via [https://toot.cat/@EveHasWords/114234111370560450 this list]'' | ||
{| class="wikitable sortable" | {| class="wikitable sortable" | ||
| − | ! domain || # | + | ! domain || #LF/'''#RF''' || action || notes |
|- | |- | ||
| − | | pixelfed.tokyo || 1 | + | | pixelfed.tokyo || 3/'''1''' || 2025-03-27 limited |
|- | |- | ||
| − | | milpamerica.org || 0 / 0 || 2025-03-27 | + | | milpamerica.org || 0/0 || 2025-03-27 suspended |
|- | |- | ||
| − | | luzeed.org || 0 / 0 || 2025-03-27 | + | | luzeed.org || 0/0 || 2025-03-27 suspended |
|- | |- | ||
| − | | pix.anduin.net | + | | pix.anduin.net || 0/0 || 2025-03-27 suspended |
|- | |- | ||
| − | | bolha.photos | + | | bolha.photos || 0/0 || 2025-03-27 suspended |
|- | |- | ||
| − | | social.photo | + | | social.photo || 0/'''1''' || 2025-03-27 limited |
|- | |- | ||
| − | | pixelfed.eus | + | | pixelfed.eus || 1/0 || 2025-03-27 limited |
|- | |- | ||
| − | | pix.ublog.tech | + | | pix.ublog.tech || 0/0 || 2025-03-27 suspended |
|- | |- | ||
| − | | pi.dead.guru || || || (way out of date!) | + | | pi.dead.guru || n/a || n/a || (way out of date!) not found |
|- | |- | ||
| − | | pics.80px.com | + | | pics.80px.com || 0/0 || 2025-03-27 suspended |
|- | |- | ||
| − | | pixel.pol.social | + | | pixel.pol.social || 0/0 || 2025-03-27 suspended |
|- | |- | ||
| − | | gpose.site | + | | gpose.site || 0/0 || 2025-03-27 suspended |
|- | |- | ||
| − | | pixels.gsi.li | + | | pixels.gsi.li || 0/0 || 2025-03-27 suspended |
|- | |- | ||
| − | | geekdom.pics | + | | geekdom.pics || 0/0 || 2025-03-27 suspended |
|- | |- | ||
| − | | pixelfed.graz.social | + | | pixelfed.graz.social || 0/0 || 2025-03-27 suspended |
|- | |- | ||
| − | | chueok.pics | + | | chueok.pics || 0/0 || 2025-03-27 suspended |
|- | |- | ||
| − | | fotolibre.social | + | | fotolibre.social || 0/0 || 2025-03-27 suspended |
|- | |- | ||
| − | | gr8.pics | + | | gr8.pics || 0/0 || 2025-03-27 suspended |
|- | |- | ||
| − | | pixel-food.com | + | | pixel-food.com || 0/0 || 2025-03-27 suspended |
|- | |- | ||
| − | | crafty.social | + | | crafty.social || 0/0 || 2025-03-27 suspended |
|- | |- | ||
| − | | sub-pixel.de | + | | sub-pixel.de || 0/0 || 2025-03-27 suspended |
|- | |- | ||
| − | | lgbt.earth | + | | lgbt.earth || 0/0 || 2025-03-27 suspended |
|- | |- | ||
| − | | pixelfed.aargaunet.ch | + | | pixelfed.aargaunet.ch || 0/0 || 2025-03-27 suspended |
|- | |- | ||
| − | | pix.h5.si | + | | pix.h5.si || n/a || n/a || not found |
|- | |- | ||
| − | | wanderers-waypoint.com | + | | wanderers-waypoint.com || 0/0 || 2025-03-27 suspended |
|- | |- | ||
| − | | pixelfed.drewfra.nz | + | | pixelfed.drewfra.nz || 0/'''1''' || 2025-03-27 limited |
|} | |} | ||
==Terminology== | ==Terminology== | ||
| − | |||
* "#LF" = number of local followers (i.e. follows from us to accounts there), which the UI calls "their followers here" | * "#LF" = number of local followers (i.e. follows from us to accounts there), which the UI calls "their followers here" | ||
| + | * "#RF" = number of remote followers (i.e. follows from them to accounts here), which the UI calls "our followers there" -- this is what opens the security hole | ||
The UI terminology is a little ambiguous. One screen for a given domain says "their followers here" = 3 and "our followers there" = 1, but then when I go to suspend the domain it says "Followers their users would lose" = 3 "Followers our users would lose" = 1, which is the opposite of how I initially interpreted the first screen – I took "their followers here" to mean "their followers of our users", but it actually means our users following theirs. | The UI terminology is a little ambiguous. One screen for a given domain says "their followers here" = 3 and "our followers there" = 1, but then when I go to suspend the domain it says "Followers their users would lose" = 3 "Followers our users would lose" = 1, which is the opposite of how I initially interpreted the first screen – I took "their followers here" to mean "their followers of our users", but it actually means our users following theirs. | ||
Latest revision as of 14:23, 27 March 2025
Pixelfed security bug
2025-03-25 Pixelfed leaks private posts from other Fediverse instances
- 09:43 Actually, it's unclear what is the best action. Even with a "limit", our users could still accept a follow-request from them, which would open the security-hole for exploitation from the remote user's instance. On the other hand, is that likely to happen?
- Also, the more extreme option -- "suspend" -- permanently deletes all followership in both directions, so I hesitate to invoke that on any instance where there is any followership between us and them...
- 09:31 I decided that the best thing to do for now was just limit all instances that don't have a lot of remote followers, going on the theory that this will prevent new exploits of the bug and hopefully nobody has already taken advantage of it to access private accounts on our instance. (This is currently in progress.)
Known Affected Instances
via this list
| domain | #LF/#RF | action | notes |
|---|---|---|---|
| pixelfed.tokyo | 3/1 | 2025-03-27 limited | |
| milpamerica.org | 0/0 | 2025-03-27 suspended | |
| luzeed.org | 0/0 | 2025-03-27 suspended | |
| pix.anduin.net | 0/0 | 2025-03-27 suspended | |
| bolha.photos | 0/0 | 2025-03-27 suspended | |
| social.photo | 0/1 | 2025-03-27 limited | |
| pixelfed.eus | 1/0 | 2025-03-27 limited | |
| pix.ublog.tech | 0/0 | 2025-03-27 suspended | |
| pi.dead.guru | n/a | n/a | (way out of date!) not found |
| pics.80px.com | 0/0 | 2025-03-27 suspended | |
| pixel.pol.social | 0/0 | 2025-03-27 suspended | |
| gpose.site | 0/0 | 2025-03-27 suspended | |
| pixels.gsi.li | 0/0 | 2025-03-27 suspended | |
| geekdom.pics | 0/0 | 2025-03-27 suspended | |
| pixelfed.graz.social | 0/0 | 2025-03-27 suspended | |
| chueok.pics | 0/0 | 2025-03-27 suspended | |
| fotolibre.social | 0/0 | 2025-03-27 suspended | |
| gr8.pics | 0/0 | 2025-03-27 suspended | |
| pixel-food.com | 0/0 | 2025-03-27 suspended | |
| crafty.social | 0/0 | 2025-03-27 suspended | |
| sub-pixel.de | 0/0 | 2025-03-27 suspended | |
| lgbt.earth | 0/0 | 2025-03-27 suspended | |
| pixelfed.aargaunet.ch | 0/0 | 2025-03-27 suspended | |
| pix.h5.si | n/a | n/a | not found |
| wanderers-waypoint.com | 0/0 | 2025-03-27 suspended | |
| pixelfed.drewfra.nz | 0/1 | 2025-03-27 limited |
Terminology
- "#LF" = number of local followers (i.e. follows from us to accounts there), which the UI calls "their followers here"
- "#RF" = number of remote followers (i.e. follows from them to accounts here), which the UI calls "our followers there" -- this is what opens the security hole
The UI terminology is a little ambiguous. One screen for a given domain says "their followers here" = 3 and "our followers there" = 1, but then when I go to suspend the domain it says "Followers their users would lose" = 3 "Followers our users would lose" = 1, which is the opposite of how I initially interpreted the first screen – I took "their followers here" to mean "their followers of our users", but it actually means our users following theirs.