A controversial developer circumvented one of Mastodon’s primary tools for blocking bad actors, all so that his servers could connect to Threads.

We’ve criticized the security and privacy mechanisms of Mastodon in the past, but this new development should be eye-opening. Alex Gleason, the former Truth Social developer behind Soapbox and Rebased, has come up with a sneaky workaround to how Authorized Fetch functions: if your domain is blocked for a fetch, just sign it with a different domain name instead.

Gleason was originally investigating Threads federation to determine whether or not a failure to fetch posts indicated a software compatibility issue, or if Threads had blocked his server. After checking some logs and experimenting, he came to a conclusion.

“Fellas,” Gleason writes, “I think threads.net might be blocking some servers already.”

What Alex found was that Threads attempts to verify domain names before allowing access to a resource, a very similar approach to what Authorized Fetch does in Mastodon.

You can see Threads fetching your own server by looking at the facebookexternalua user agent. Try this command on your server:

grep facebookexternalua /var/log/nginx/access.log

If you see logs there, that means Threads is attempting to verify your signatures and allow you to access their data.

  • LWD@lemm.ee
    link
    fedilink
    arrow-up
    2
    ·
    11 months ago

    A bad faith actor figured out how to consume data from fediverse instances that did not consent to having their data consumed. Basically, let’s say an instance likes to harass queer people, but queer instances block them. The harassers set up a second server, which pulls in the content of the queer instance, then copies and pastes it over into the harassment instance, so the harassers can enjoy the data to their hearts content.

    Unfortunately, many fediverse evangelists already believe data consumption by all actors, including bad actors, is good and ethical and must be sought after in all cases… In other words, unless there’s a sudden change of heart or a rapid adoption of double standards, this might just be the way the service is used.