Pixelfed leaks private posts from other Fediverse instances
fokus.coolWhat makes this especially bad is the fact how Pixelfed is basically only one big instance which contains all the users and beeing run by someone who's not really good at responsible disclosure and generally not really friendly towards the community.
Mastodon total: 7,792,207 - biggest instance mastodon.social: 2,627,588 --> 33%.
Pixelfed total: 675,348 - biggest instance 437,361 --> 65%
I was just told that it's a big instance problem more than a small instance. Somebody else on the instance has to have a follow request approved by the victim so I can follow them without their consent, so it's not like I can make my own private instance just to violate people's privacy, see
Yes and that's why it is especially bad since there is only one very big pixelfed instance ^^
Small world!
But really that's a Fediverse problem in general. When I joined up I came to the conclusion that it didn't make sense, from the viewpoint that I participate in social media to be visible, to join anything but the largest instance. Someone could disagree, but I think enough people would agree with that to maintain the dominance of large instances.
“Private” in the Fediverse is broken by design and one of the things that limits it is that a lot of people involved can’t make up their mind if they want to be visible or invisible.
This issue is really damning:
> Due to an implementation mistake, Pixelfed ignores this and allows anyone to follow even private accounts on other servers. When a legitimate user from a Pixelfed instance follows you on your locked fediverse account, anyone on that Pixelfed instance can read your private posts. You don’t need to be a Pixelfed user to be affected.
The fediverse is really not ready to be a serious alternative to anything with issues like this.
> I’m disappointed by how Pixelfed managed the vulnerability. From a project with (supposedly) more than 150k monthly active users and generous funding, expect better.
Do better with what resources? Pixelfed has around <$100K in funding and ~150k "users" using it and the author expects them to do more? Clearly they cannot and are not making money. So what did the author expect? They are not Meta Platforms Inc with billions of dollars and users.
But in other news the 44th President of the United States (Barack Obama) just signed up to Bluesky. Tells you all you need to know about where the users from X are going to and it is not the fediverse.
These financing issues are part of the nonsuperiority story of the Fediverse relative to other platforms. A cost of roughly a dollar a year per user is par for the course for online systems but Pixelfed is the opposite of Mozilla [1]. When I worked at arXiv in the early 2000s we had an honest coat structure per paper three orders of magnitude less than conventional journals but we still weren’t sustainable since we were a tiny unit in an large academic library that couldn’t get it that we were responsible for at least 90% of the value the library generated.
Any actual solution to the current problems (e.g. how could community organizations, say a board game club, organize without Facebook?) has to solve the money problem first, the technical problems. Despite the cult of the start-up, starting up is easy and can be done on a shoestring and unpaid labor, it’s the sustaining that is hard —- and the people who are capable of running on a shoestring are at the mercy of Mozilla-esque vultures whose core competence is fundraising.
[1] based anywhere but San Francisco, understaffed, probably one unpaid or underpaid staff member, no administrative overhead because no administration, heck it probably costs about $500k a year to be elligible for and able to get grants
Yeah the funding part is a whole different discussion which also gets dirty pretty quickly (IMHO). And yeah stuff like loops as a side project does not make anything better. One badly maintained PHP project should be enough already