Dear #VulpineClub :
This is an important message about a critical information disclosure bug in Mastodon.
tl;dr: Followers-only posts may be disclosed to unintended parties, and there is no fix yet.
Long version:
The "Relationships" page (https://vulpine.club/relationships) allows members to remove followers, and it does this by sending a Reject Follow message to the remote instance. The remote instance is supposed to remove the follower when it receives this message.
Since October 2019, Mastodon instances have not properly handled this Reject Follow message. The upshot of this is that if you used /relationships to remove a follower on a Mastodon instance, the unfollow didn't actually happen. This means that followers-only posts may be disclosed to unintended parties.
Furthermore, this fix has to be applied to every Mastodon instance on the Fediverse before this problem stops getting worse. Also, there is currently no known way to fix this problem, because no record is kept of Reject Follow messages.
The investigation into this is still in its early stages. We will be keeping an eye on the issue (https://github.com/tootsuite/mastodon/issues/14480) to determine the best way to clean this up.
@rey Question: Is the fix related to a specific version update? Or is there a discrete patch that needs to be applied?
@chirrveon i cherry-picked bfd5aea20686559f030ca0f2538bebc1943b398b ... it's not yet in a tagged Mastodon release or in the glitch-soc tree, since it's just a few hours old
@rey The actual PR that fixes this is here: https://github.com/tootsuite/mastodon/pull/14479
(Was somewhat puzled at first since the issue you linked to doesn't actually mention the bug itself.)
@galaxis this fixes the cause of the issue, but doesn't do cleanup of the actual problem :<
@rey But doesn't that also means that any mischeivous instance could just ignore those reject follow messages and keep following you anyway?
@penguin42 yes, absolutely
ultimately, i think the fix for this will be to directly address every recipient of a followers-only post (so that if you have 500 followers across 50 instances, it generates 500 direct posts, instead of just fanning out to 50 posts), but this is above my pay grade
@rey @penguin42 there is no much incentive for mischievous instances to do that. They'll only get the followers-only toot if they have a legitimate follower or mentioned person there. The issue here is that if there are legit followers and “former followers” on an instance, both sets will see the message, but the bug doesn't widen the set of instances receiving the message. A mischievous instance would just ignore the privacy altogether, and directly mentioning the instance wouldn't help.
Directly addressing followers would definitely help with accidental de-synchronization issues like this, though. However it's not fully backwards-compatible with Mastodon (there are many cases where such a message would be interpreted as a DM instead of a followers-only message, which has widely different UX), and would be much more expensive.
@rey I guess this fixes it where you trust the case where you trust admins but not individual users
@penguin42 there is implicit trust of the admins, since there are much easier ways to see private messages when you have root :)
@rey great. fantastic. more mastodon desynchronization with no way to reconcile it other than manually inputting data at both ends. just what everyone needed.
note: we've applied the fix on our end, so we will (... should??) properly handle received Reject Follow messages henceforth