Pixelfed leaks private posts from other Fediverse instances

Summary

Pixelfed leaks private posts from other Fediverse instances March 25, 2025 When following someone on a different server on the Fediverse, the remote server decides whether you are allowed to do so. This enables features like private accounts. Due to an implementation mistake, Pixelfed ignores this and allows anyone to follow even private accounts on other servers. When a legitimate user from a Pixelfed instance follows you on your locked fediverse account, anyone on that Pixelfed instance can read your private posts. You don’t need to be a Pixelfed user to be affected. Pixelfed admins should update to v1.12.5 ASAP, but upgrading can be a major hurdle. Storytime Two weeks ago, a partner and I were on vacation far away from home. We were enjoying some well deserved rest after a long day outside, when I looked over to see her shooting confused looks at her phone. “Someone favorited a toot that they should not be able to see. How is this possible?” she said, holding it up in my face. “What? No way.” But sure enough, the toot was followers only and the person that had liked it was not following her Mastodon account. When I took a look at the other persons profile on pixelfed.social, I noticed that the instance was nevertheless claiming the account was following her. I already dreaded what I felt was about to happen. I created an account on pixelfed.social and clicked follow on my partner’s Mastodon account, and… I could see all of her private posts. Instead of telling me I’d have to wait to have my follow accepted, I was already following her. “Oh no, not again”, I said, dreading the thought of spending the next few hours reading PHP code and writing a report. ActivityPub In order to understand how this happened we have to know some bits about ActivityPub, the protocol that’s powering the Fediverse. In most ActivityPub implementations the user can decide whether they want to manually review new followers. In Mastodon this is achieved by disabling “Automatically accept ne...