Follow

Mastodon and Pleroma privacy update 

We're receiving reports of an exploit that allows users on certain versions of Pleroma to send follow requests to Mastodon users even after being blocked, causing a nuisance.

Although the latest version of Pleroma does not contain this exploit, not all servers are up-to-date, nor has a defense yet been implemented in Mastodon.

A relatively small number of bad actors are taking advantage of this, though, so users are encouraged to report them individually.

instance block and privacy update 

pleroma.rareome.ga, having been identified as the only known instance to promote exploiting the highly discussed bug, is now blocked from federating with chitter.xyz.

We hope that this is the only such instance, but we welcome and will investigate any further reports.

Show thread

instance block and privacy update 

voluntaryism.club and its owner dtluna (all known accounts) have been suspended for not only attempting to exploit the same bug, but also for anti-trans remarks.

Show thread

Mastodon and Pleroma privacy update 

@bug ftr, this is a known bug in pleroma and it can be used to see private statuses if you have a legit follower on that instance as well.

Mastodon and Pleroma privacy update 

@nightpool @bug a known bug, which is known to be fixed.

@kaniini @nightpool yes, we know. at the time of writing my post, many Pleroma instances had not yet updated, thus warranting the post.

@bug @nightpool

that wasn't targeted at you, but instead nightpool's response which I did not appreciate the tone of.

obviously, do what you need to do to protect your users!

you may also want to be aware that there is a Pleroma fork that has been modified to completely ignore activitypub to/cc fields. as far as we are aware, there is only one server running it: pleroma.rareome.ga, but there may be others.

@kaniini @nightpool I saw no problem with their tone; I appreciate any new information about vulnerabilities.

I've also heard about this fork and instance, but thank you for corroborating it.

@kaniini @bug I pointed it out because the original post made it sound like it was just a nuisance/spam attack, but it has more severe consequences then that. The "known bug" thing was meant to mean that the same information had been circulating for a while, nothing more. I didn't know about the rareome.ge server, so thanks for pointing it out. I'll make sure people know to block it.

Mastodon and Pleroma privacy update 

@kaniini @nightpool @bug also, once again, not entirely a pleroma problem. You could make fairly trivial modifications to any activitypub compliant server software and run it as an instance and achieve this easily, so it's nonsense that people have been blaming this on pleroma.

Mastodon and Pleroma privacy update 

@pea @kaniini @nightpool Please rest assured that as an admin of Chitter we are not making any sweeping motions against Pleroma as a server platform. My only wish is to make people aware of current risks, while working to mitigate them.

Mastodon and Pleroma privacy update 

@bug @nightpool @kaniini yeah and that's fair, I've just seen a lot of FUD @ pleroma about it and was referring to that more

Mastodon and Pleroma privacy update 

@bug @nightpool @pea

well, almost all pleroma instances were patched against this a couple of weeks ago: most admins actually update pretty frequently.

pleroma.fr, which is a mainstream instance, was not patched because href is running an experimental branch there (he is making it possible to staticly compile pleroma into a single binary) which did not have the security fix yet.

overall, this is really mass hysteria, there is only one known incident of stalking that i am aware of, and that was pleroma on pleroma

Mastodon and Pleroma privacy update 

@kaniini @nightpool @pea My post was based on a report that is still not even 24 hours old that pleroma.rareome.ga/ was affected by this bug, and that a user was exploiting it. I was able to verify this report myself.

I have no interest in spreading misinformation, nor in characterizing _factual_ information as hysteria.

Mastodon and Pleroma privacy update 

@bug @pea @nightpool

pleroma.rareome.ga is running a fork that predates the security fix. it should be treated as a hostile actor.

Mastodon and Pleroma privacy update 

@kaniini @pea @nightpool and therefore I am justified in letting people know. thanks for agreeing.

Mastodon and Pleroma privacy update 

@bug @nightpool @pea

yeah, it had nothing to do with your announcement. it just irritated me with nightpool's comment is all :)
@bug indeed, but we will have to agree to disagree here. there were several unpleasant interactions i have had with him on this issue, including a gross misinterpretation of my positions on the issue tracker, etc.

@kaniini i'm sorry to hear that. it sounds like your previous interactions with them coloured your interpretation of their "tone". i hope you understand that my only interest is in obtaining, disseminating, and acting upon accurate data security info, and I have no reason to turn away a tip-off based on that.

@nightpool @bug

my apologies, i wasn't aware that you were non-binary.

Mastodon and Pleroma privacy update 

@pea It's not a pleroma problem that pleroma shipped a non-compliant implementation of activitypub for months? what?

You could also run an email server that made every email public, easily, but people would still say that it was your problem when they found it out.

Mastodon and Pleroma privacy update 

@nightpool wut

noncompliant? have you read the activitypub spec? If so point out where it includes blocking or privacy settings

I don't know how you've gone so long without finding this out, but you can't trust remote servers to do everything exactly how you expect. They could be running anything. It's a flaw in mastodon in the first place expecting an external server to do exactly "what it's supposed to do" and it's doubly problematic that there's no document published talking about everything that's nonstandard in mastodon and how it should be handled in other server implementations.

Mastodon and Pleroma privacy update 

@pea

....

i literally wrote the document you're asking about. I wrote a document about all of mastodon's non-standard behaviors and published it with mastodon's implementation report.

Also, did you miss "Targets for delivery are determined by checking the ActivityStreams audience targeting; namely, the to, bto, cc, bcc, and audience fields of the activity"

Mastodon and Pleroma privacy update 

@pea or perhaps or perhaps "In the case of receiving an Accept referencing this Follow as the object, the server SHOULD add the actor to the object actor's Followers Collection. In the case of a Reject, the server MUST NOT add the actor to the object actor's Followers Collection."

Mastodon and Pleroma privacy update 

@nightpool I'm not really sure what the part you're quoting has to do with blocking

Mastodon and Pleroma privacy update 

@pea (which is the actual requirement pleroma was violating, they completely ignored accept/reject until this was pointed out to them as a privacy problem)

Mastodon and Pleroma privacy update 

@nightpool also apologies for missing that then, i'd never seen that document and i'd hunted one down for a bit

Mastodon and Pleroma privacy update 

@nightpool either way, nothing is insured when you're using a protocol like ActivityPub. In the end MUST is just a word and not an inviolable rule

Mastodon and Pleroma privacy update 

@nightpool a Bad Actor can break those rules at any time, and it's up to implementations to guard against that when possible

Mastodon and Pleroma privacy update 

@pea which mastodon does? It only sends posts to people that can see them, and we have moderation tools for when people things in ways the software can't prevent. (remote servers sharing posts without proper authorization)

Mastodon and Pleroma privacy update 

@pea I don't understand what "a protocol like activitypub" is doing here. Even if this was the perfect e2e encrypted protocol, it wouldn't prevent a bad actor like the followbot had from re-publishing all private posts publicly.

Mastodon and Pleroma privacy update 

@nightpool @pea or other ways, the followbots are just a visible one. When you start to take a look at your nginx|apache|caddy access logs, you can clearly see that it's only the tip of the iceberg...

Mastodon and Pleroma privacy update 

@gled @pea what does that have to do with accessing private posts.

Mastodon and Pleroma privacy update 

@nightpool @gled @pea just signaling that there are many ways of accessing 'private' posts, no expectation to be had on that at the moment, that's all :)

Mastodon and Pleroma privacy update 

@gled @pea you can't access private posts by requesting them unless you're already a valid follower, authenticated with HTTP signatures?

Mastodon and Pleroma privacy update 

@nightpool @gled @pea not everywhere unfortunately, a lot of leaks have been plugged though I suspect a few are left ( I will come back once I have certitudes, I am currently investigating 2 weird behaviors ). Oh and not to mention the 2 instances that left their ES wide open ;)

Mastodon and Pleroma privacy update 

@gled well, if you find any information that you think is important, you know how to reach me and/or gargron.

Mastodon and Pleroma privacy update 

@nightpool I was more referring to the follow requests bit but w/e
Sign in to participate in the conversation
Chitter

Chitter is a social network fostering a friendly, inclusive, and incredibly soft community.