@kaniini @nightpool yes, we know. at the time of writing my post, many Pleroma instances had not yet updated, thus warranting the post.

@kaniini @nightpool I saw no problem with their tone; I appreciate any new information about vulnerabilities.

I've also heard about this fork and instance, but thank you for corroborating it.

@kaniini @bug I pointed it out because the original post made it sound like it was just a nuisance/spam attack, but it has more severe consequences then that. The "known bug" thing was meant to mean that the same information had been circulating for a while, nothing more. I didn't know about the rareome.ge server, so thanks for pointing it out. I'll make sure people know to block it.

@pea @kaniini @nightpool Please rest assured that as an admin of Chitter we are not making any sweeping motions against Pleroma as a server platform. My only wish is to make people aware of current risks, while working to mitigate them.

@kaniini @nightpool @pea My post was based on a report that is still not even 24 hours old that https://pleroma.rareome.ga/ was affected by this bug, and that a user was exploiting it. I was able to verify this report myself.

I have no interest in spreading misinformation, nor in characterizing _factual_ information as hysteria.

@kaniini @pea @nightpool and therefore I am justified in letting people know. thanks for agreeing.

@kaniini once again, i see no problem with nightpool.

@kaniini i'm sorry to hear that. it sounds like your previous interactions with them coloured your interpretation of their "tone". i hope you understand that my only interest is in obtaining, disseminating, and acting upon accurate data security info, and I have no reason to turn away a tip-off based on that.

@kaniini @bug stop fucking misgendering me.

@pea It's not a pleroma problem that pleroma shipped a non-compliant implementation of activitypub for months? what?

You could also run an email server that made every email public, easily, but people would still say that it was your problem when they found it out.

@pea

....

i literally wrote the document you're asking about. I wrote a document about all of mastodon's non-standard behaviors and published it with mastodon's implementation report.

Also, did you miss "Targets for delivery are determined by checking the ActivityStreams audience targeting; namely, the to, bto, cc, bcc, and audience fields of the activity"

@pea or perhaps or perhaps "In the case of receiving an Accept referencing this Follow as the object, the server SHOULD add the actor to the object actor's Followers Collection. In the case of a Reject, the server MUST NOT add the actor to the object actor's Followers Collection."

@pea (which is the actual requirement pleroma was violating, they completely ignored accept/reject until this was pointed out to them as a privacy problem)

@pea which mastodon does? It only sends posts to people that can see them, and we have moderation tools for when people things in ways the software can't prevent. (remote servers sharing posts without proper authorization)

@pea I don't understand what "a protocol like activitypub" is doing here. Even if this was the perfect e2e encrypted protocol, it wouldn't prevent a bad actor like the followbot had from re-publishing all private posts publicly.

@nightpool @pea or other ways, the followbots are just a visible one. When you start to take a look at your nginx|apache|caddy access logs, you can clearly see that it's only the tip of the iceberg...

@gled @pea what does that have to do with accessing private posts.

@nightpool @gled @pea just signaling that there are many ways of accessing 'private' posts, no expectation to be had on that at the moment, that's all :)

@gled @pea you can't access private posts by requesting them unless you're already a valid follower, authenticated with HTTP signatures?

@nightpool @gled @pea not everywhere unfortunately, a lot of leaks have been plugged though I suspect a few are left ( I will come back once I have certitudes, I am currently investigating 2 weird behaviors ). Oh and not to mention the 2 instances that left their ES wide open ;)

@gled well, if you find any information that you think is important, you know how to reach me and/or gargron.

voluntaryism.club and its owner dtluna (all known accounts) have been suspended for not only attempting to exploit the same bug, but also for anti-trans remarks.