So @pixelfed still hasn't fully acknowledged nor fixed the security vulnerability from earlier this year, despite multiple people asking for updates over the past ~6 months.
-
@thisismissem there are many #fediverse platforms using #ActivityPub, most of which allow media sharing, and i have never really understood what @pixelfed purports to bring to the party anyway.
-
@peachfiend thank you, but yes, I'm aware of activitypub software, given the number of AP projects I'm a maintainer or frequent contributor to. And the fact that I founded the ActivityPub Trust & Safety taskforce and championed the Fediverse Security Fund
Perhaps maybe look at people's profiles if you don't know them before replying.
-
@thisismissem@hachyderm.io Hey @dansup@mastodon.social, you need to fix this, dude.
-
@deadsuperhero @thisismissem the fix was shipped months ago, thanks for spreading misinformation!
-
@dansup @deadsuperhero so you shipped followers collection synchronisation? And you published the CVE? Because to my knowledge you haven't done either.
-
@dansup @deadsuperhero unless I'm missing something? https://github.com/search?q=repo%3Apixelfed%2Fpixelfed%20Collection-Synchronization&type=code
-
@dansup @deadsuperhero no published vulnerability report for it either:
-
thisismissem@hachyderm.io what was this in reference to, the one where Pixelfed allows anyone on a server access to a followers only post if one person on that server is a follower?
-
@julian yeah, that one. He prevented it from being exploited further, but because pixelfed doesn't sync its remote account followers, anyone who managed to exploit it before hand is still able to exploit it, because pixelfed erroneously added follower records locally without there being an Accept(Follow). Sync would purge those invalid records
And the CVE / Security vulnerability report still isn't published.
-
@dansup @deadsuperhero @thisismissem so are Pixelfed servers not patching or what?
Or is this just another case of Mastodon finding ways to punch down other software in the ecosystem? -
@feld @dansup @deadsuperhero no, it's than Dan only fixed part of the problem, which was preventing it from being exploited further.
He hasn't implemented follower collection-synchronisation in order to remove any erroneous follower records from pixelfed servers (where pixelfed thinks a follower is approved, but the target server doesn't)
Additionally, he's not released the security vulnerability report.
He's been saying for months to multiple people he's working on it or about to release it, but it's been, what, 6 months? Hence the very public nudge to finally fix this vulnerability once and for all.
-
thisismissem@hachyderm.io could a hot fix simply be to have Pixelfed remove all follower records and re-associate them on demand?
Talking out of my ass here though.
-
@julian basically for every remote account that a pixelfed server knows about & has at least 2 outbound follow records to, the followers collection needs to be pulled and any follow records that aren't in the remote follower's collection need to be deleted.
Follower collection synchronisation makes that pretty performant to do.
Essentially you have pixelfed servers that think accounts A +B are following remote actor Z, but only A was approved by actor Z, but pixelfed erroneously stored B as a follow instead of a follow request. So follow record B for remote actor Z needs to be deleted
I think I'm summarising it right, been a while since I read the report and code.
-
@thisismissem @pixelfed The fix was shipped and announced in March.
pixelfed (@pixelfed@mastodon.social)
We've just released v0.12.5 with an important privacy fix. ⚠️ Please update your instances as soon as possible! https://github.com/pixelfed/pixelfed/releases/tag/v0.12.5
Mastodon (mastodon.social)
I'm working on collection sync, but that is a Mastodon extension that isn't supported in most software keep in mind.
Maybe you could have reached out privately instead of publicly shaming an open source fediverse project into implementing a Mastodon-only fix.
We do accept PRs, and you could have contributed a fix to help ship sync quicker if you did really care (adonis is based on laravel, php is ez)
-
@dansup @pixelfed myself and others have been for months waiting for you to follow up with collection sync to ensure only the accounts truly approved to be followers are allowed as followers on pixelfed's side. I know renaud and claire have asked, and I've been asking shlee.
It's also *not* a mastodon only fix, collection sync is a FEP like any other.
I've already made it clear in the past that due to the way you treat your contributors, I would not contribute to your projects, but this concerns more than just you, hence trying to get answers and progress.
-
@dansup @pixelfed from what I can see, pixelfed 0.12.5 included no change to rectify invalid Follow records in your database by asking the remote actor for all its currently approved followers, therefore the original exploit(s) of the security vulnerability still exist within your database: https://github.com/pixelfed/pixelfed/compare/v0.12.4...v0.12.5
-
@thisismissem hello Emelia. just read this all now and wondering if you recommend leaving pixelfed?
thank u for providing detail as to what the issue is about for this designer to understand what the major concerns are.
I don't know how he treats contributors but also haven't posted anything there for weeks so unsure if I shall keep my account alive knowing this now. Thank you in advance!
Would you also have other recommendations of other pixelfed-like solutions or is it simpler to just post pix directly on one's account here on Fedi from the server I am part of? Thanks again!
-
@Crissy I think people can make their own assessments, but I do believe Dan has spread himself too thin with too many projects, which results in lower cadence and quality software in general.
Whilst I'd like for an instagram like service to succeed on Fedi, I'm not sure that's going to happen with Pixelfed given the way Dan acts. Ic he focused on one project and brought in different lead developers for the others, they might have a chance lf succeeding, but managing multiple very large projects at once isn't a recipe for success imo.
Things are so bad that there's even an open letter to NLNet to get them to cancel grants, and that's something incredibly rare. I wish it wasn't that way.
Even in the thread he's accused me of misinformation, when what I've said continues to be correct. A security researcher shouldn't be left waiting for months for their advisory to be published if it is indeed fixed as he claims, but I don't think it's fully fixed.
-
@thisismissem @pixelfed so what's the alternative?
-
@hiphopheaven @pixelfed I'm not saying "don't use Pixelfed", no, in fact I want people to be safe using and federating with Pixelfed.
However, I am calling on Dan & the pixelfed team (?) to do the right thing and fully fix this vulnerability, and do the remediation work necessary, and adopt better security release practices.
Having this in a state of "kinda fixed" for 6 months or so isn't great.
