Napping.Synth.Download
pixelfed instance admins: Please update pixelfed to v0.12.5 asap. The version contains fixes for serious security vulnerabilities that I reported.
I will disclose further details about the vulnerabilities in about 24 hours.
:boost_requested:
|
1 post total
|
Pixelfed before v0.12.5 has a vulnerability where it could leak your private posts, regardless of whether you are a Pixelfed user or not.
Admins should update ASAP.
When following someone from a different server on the Fediverse, the remote server decides whether you are allowed to do that. This enables features like locked accounts. Due to an implementation mistake, Pixelfed ignores this and allows anyone to follow even private accounts on other servers. If a legitimate user from a Pixelfed instance follows you on your locked account, anyone on that Pixelfed instance can read your private posts.
I wrote a blog post about how I found the vulnerability, how disclosure coordination went and general ramblings about Fediverse safety:
https://fokus.cool/2025/03/25/pixelfed-vulnerability.html
#pixelfed #fediverse #activitypub
Pixelfed before v0.12.5 has a vulnerability where it could leak your private posts, regardless of whether you are a Pixelfed user or not.
Admins should update ASAP.
When following someone from a different server on the Fediverse, the remote server decides whether you are allowed to do that. This enables features like locked accounts. Due to an implementation mistake, Pixelfed ignores this and allows anyone to follow even private accounts on other servers. If a legitimate user from a Pixelfed instance...
@fionafokus @archos máš už update? :-)