Fediverse Report – #110
A vulnerability in Pixelfed caused private posts from other platforms to leak, a post-mortem on the CSAM scanner from IFTAS, and Fediforum has been cancelled.
Pixelfed vulnerability impacts private posts across most of the fediverse
The fediverse suffered from a significant breach for private accounts, that affects the large majority of fediverse servers, due to a vulnerability in the Pixelfed software. What is notable about the situation is that the software vulnerability is in Pixelfed, but the affected accounts are not exclusive to Pixelfed: accounts on Mastodon and other fediverse software with a form of private accounts are also vulnerable. The vulnerability was found by the independent developer Fiona, who wrote a blog post about the vulnerability and the disclosure process.
To understand the situation, a short explanation of two features of Mastodon and some other fediverse microblogging software, locked accounts, and follower-only posts. Together these two features make it possible to have a form of private accounts. Locked accounts means that you cannot automatically follow that account, it has to be approved instead. Follower-only posts means that the post will only be displayed to your followers.
When a locked account approves a follower, follower-only posts now get send to the server that this follower is on. Because the receiving server now has this follower-only post in their database, they need to correctly handle whom they show this post to and whom they do not. If another account on the other server also tries to follow the locked account, but the locked account does not approve, this third account should not be able to see the messages. This is where Pixelfed’s vulnerability comes in: Pixelfed was not waiting for a confirmation if a follow request was approved, it assumed that it was automatically approved. That is how any private posts made on (almost) any fediverse server could be leaked: if a Pixelfed server already had the private post (because of someone of Pixelfed followed the locked account with approval), it would show it to anyone else who also tried to follow the locked account, even if the locked account rejected the follow request.
Pixelfed’s vulnerability points to deeper issues with the fediverse, activitypub and private posts. If all it takes to leak private messages is another server to be misconfigured, than it indicates the huge security risk inherent in private posts via ActivityPub. Even more so considering that the network incentivises and encourages people to build their own software implementations, which increases the risk of security vulnerability and other misconfigurations significantly. For simplicity I’ll focus here on Mastodon, although it also goes for other microblogging fediverse software that offers a combination of follower-only posts and locked accounts. At its core, private posts via ActivityPub requires to trust other servers. This is how ActivityPub works: your server sends posts to another server. There is no way to enforce that this other server respects your preference on how they should handle this post. If you do not trust another server to handle your data properly, the only way to deal with that is by not sending your post to that server.
When you make a follower-only post on Mastodon, the UI prompt warns you that followers-only posts without setting your account to locked allows anyone to view your posts by simply following you. The documentation for Mastodon also reinforces this, saying: “To effectively publish private (followers-only) posts, you must lock your account–otherwise, anyone could follow you to view older posts.” The documentation makes it clear that Mastodon views the combination of follower-only posts with a locked account as private posts. But nowhere is it made clear that these posts being private depends on other servers being good actors and not having an error in their code. So using private posts on Mastodon comes with the risk of the private posts being leaked due to flaws in other software, without people being aware of this risk.
Once a leak like this one happens, it is unclear who is responsible for communications with affected users. It was a flaw in Pixelfed that caused the vulnerability, but it is other people on other fediverse servers that are affected. Pixelfed developer Daniel Supernault has only made minimal announcements, urging Pixelfed admins to upgrade, without further explanation to the people who are actually affected by the vulnerability. Personally I think Supernault should have handled communications significantly better. But it is the thousands of fediverse server admins who provide the actual social networking to people on their server. They are the ones who are offering a social networking site with a variety of features, including the ability to make private posts (as advertised by the Mastodon software), and are the ones who are responsible for handling the data of their users. I could only find one example of a server admin that has informed their users of the situation, even though it is the data of their users that is affected. I’m unclear if this is because the admins are not aware of what’s going on, or the admins view it as the responsibility of someone else to inform people that data they thought was private might potentially have been leaked.
Overall, it means that there actually three separate problems going on at the same time:
The first problem is that Pixelfed had a vulnerability which leaked private data from people on other platforms.The second problem is that software like Mastodon and others promise private posts, without explaining what the risks are of using private posts, and that this depends on other servers behaving correctly. The Pixelfed vulnerability shows that these concerns are not theoretical or minor, but can happen to one of the biggest fediverse software/server.The third problem is that when private data gets leaked, most fediverse server admins do not inform the people on their platform that they might have been affected by this.
It is still unclear to what the direct impact is of the Pixelfed vulnerability, and how many people’s private post have been accessed by others, and it’s unsure if that will ever be answered. But it is the indirect impact of the situation that I’m most interested in: will this change how people perceive private posts, and will it fediverse server admins take a clear position on when they should inform their users, and when the should not?
IFTAS’s post-mortem on their Content Classification System
IFTAS, the Independent Federated Trust And Safety organisation, has released a post mortem on their content classification system (CCS). The CCS project was a pilot project to detect and report CSAM for a small group of Mastodon servers, and lasted for half a year. The pilot was shut down after IFTAS did not manage to find the funding they were looking for, and the organisation had to shut down most of their projects this month.
CCS operated on 8 servers, which combined have around 30k monthly active users, and IFTAS found a total of 80 matches, averaging 4.29 matches per 100,000 media files. IFTAS writes:
“4.29 matches per 100,000 may not sound like a large number. However, to be clear, this is a higher number than many services would expect to see, and it includes a broad range of media, from “barely legal” minors posted publicly, to intimate imagery shared without consent, to the very, very worst media imaginable. In some cases, it was apparent that users were creating accounts on host services to transact or pre-sale media before moving to an encrypted platform, under the belief that Mastodon would not be able to detect the activity.”
The results show that there is a clear need for proper CSAM scanning and reporting services for the fediverse, and that IFTAS does not have the funding to provide such a service is a significant loss to the network.
On a note related to IFTAS’s funding: Erin Kissane gave a talk at the AT Protocol conference recently, in which she talked about ‘vernacular institutions’. She described vernacular institutions as emergent and local organisations, which solve practical needs on the ground. Kissane describes vernacular institutions as ‘more useful than legible’. She then mentions IFTAS as a clear example; it provides a need for local communities (as illustrated by the CCS project), but its illegibility made it hard for funding organisations to understand what IFTAS was doing and provide them with the funding they need.
Fediforum has been cancelled
Fediforum has been cancelled, to be rescheduled at a later date. The unconference about the fediverse and the open social web was scheduled for today and tomorrow, April 1-2. This was supposed to be the 5th edition of Fediforum, which consists of speed demos and sessions that anyone can run on any topic. Fediforum is organised by Johannes Erst, with Kaliya ‘IdentityWoman’ Young as the co-organiser. Transphobic tweets by Young had surfaced in the days leading up to the event, and various prominent community members announced that they were either withdrawing themselves from the event, or said that they personally would not want to go to the event. Ernst then announced on his personal account that Young would be “transitioning out of Fediforum”. A day later (March 31), the official Fediforum account confirmed that Young would no longer be involved. At this point, community trust in Ernst was damaged and the discourse had reached a harmful stage, and Ernst decided to cancel the unconference and reschedule it to a later date. WeDistribute has a more extensive writeup of the situation here.
An unconference like Fediforum depends to a large extent on community trust and good intentions, and it was clear that the vibe was not great for constructive conversation at the point that Ernst decided to postpone the event altogether. Still, Fediforum provided a great place for fediverse projects to do some promotion with the speed demos, and Fediforum said that they even had a waiting list for this edition. There is a clear demand for an (un)conference like Fediforum, but the fediverse has not managed to create other community events that allow people to showcase their fediverse project in the last few years, besides Fediforum itself.
At the time of publishing, Fediforum held a 90minute long townhall/roundtable discussion on the future of Fediforum and the broader issues. I’ll write more about this next week.
The Links
Mastodon is
hiring a Senior Product Designer.Independent fediverse developer Emelia Smith wrote two articles this week, one on the
‘Open-source tools needed for the future of decentralized moderation’, as well as on how
‘Federation on the fediverse doesn’t have to be a binary choice between allowing everything or needing to pre-approve your entire network.The
Newsmast Foundation is taking over the administration of the indieweb.social serverFunkwhale has
released a first alpha version of Funkwhale 2.0.
This week’s fediverse software updates.PeerTube: the Fediverse’s decentralized video platform (part 2: creator edition) – Elena RossiniThe Lemmy developers held an AMA this week. I didn’t get into covering their responses this week, that will happen next week. The
entire AMA can be found here.
That’s all for this week, thanks for reading! You can subscribe to my newsletter to get all my weekly updates via email, which gets you some interesting extra analysis as a bonus, that is not posted here on the website. You can subscribe below:
#fediverse
https://fediversereport.com/fediverse-report-110/
