Mastodon and Pleroma privacy update 

We're receiving reports of an exploit that allows users on certain versions of Pleroma to send follow requests to Mastodon users even after being blocked, causing a nuisance.

Although the latest version of Pleroma does not contain this exploit, not all servers are up-to-date, nor has a defense yet been implemented in Mastodon.

A relatively small number of bad actors are taking advantage of this, though, so users are encouraged to report them individually.

Mastodon and Pleroma privacy update 

@bug ftr, this is a known bug in pleroma and it can be used to see private statuses if you have a legit follower on that instance as well.

Mastodon and Pleroma privacy update 

@nightpool @bug a known bug, which is known to be fixed.

Mastodon and Pleroma privacy update 

@kaniini @nightpool @bug also, once again, not entirely a pleroma problem. You could make fairly trivial modifications to any activitypub compliant server software and run it as an instance and achieve this easily, so it's nonsense that people have been blaming this on pleroma.

Mastodon and Pleroma privacy update 

@pea @kaniini @nightpool Please rest assured that as an admin of Chitter we are not making any sweeping motions against Pleroma as a server platform. My only wish is to make people aware of current risks, while working to mitigate them.

Mastodon and Pleroma privacy update 

@bug @nightpool @pea

well, almost all pleroma instances were patched against this a couple of weeks ago: most admins actually update pretty frequently.

pleroma.fr, which is a mainstream instance, was not patched because href is running an experimental branch there (he is making it possible to staticly compile pleroma into a single binary) which did not have the security fix yet.

overall, this is really mass hysteria, there is only one known incident of stalking that i am aware of, and that was pleroma on pleroma
Follow

Mastodon and Pleroma privacy update 

@kaniini @nightpool @pea My post was based on a report that is still not even 24 hours old that pleroma.rareome.ga/ was affected by this bug, and that a user was exploiting it. I was able to verify this report myself.

I have no interest in spreading misinformation, nor in characterizing _factual_ information as hysteria.

Mastodon and Pleroma privacy update 

@bug @pea @nightpool

pleroma.rareome.ga is running a fork that predates the security fix. it should be treated as a hostile actor.

Mastodon and Pleroma privacy update 

@kaniini @pea @nightpool and therefore I am justified in letting people know. thanks for agreeing.

Mastodon and Pleroma privacy update 

@bug @nightpool @pea

yeah, it had nothing to do with your announcement. it just irritated me with nightpool's comment is all :)
@bug indeed, but we will have to agree to disagree here. there were several unpleasant interactions i have had with him on this issue, including a gross misinterpretation of my positions on the issue tracker, etc.

@kaniini i'm sorry to hear that. it sounds like your previous interactions with them coloured your interpretation of their "tone". i hope you understand that my only interest is in obtaining, disseminating, and acting upon accurate data security info, and I have no reason to turn away a tip-off based on that.

Sign in to participate in the conversation
Chitter

Chitter is a social network fostering a friendly, inclusive, and incredibly soft community.