What makes this especially bad is the fact how Pixelfed is basically only one big instance which contains all the users and beeing run by someone who's not really good at responsible disclosure and generally not really friendly towards the community.<p>Mastodon total: 7,792,207 - biggest instance mastodon.social: 2,627,588 --> 33%.<p>Pixelfed total: 675,348 - biggest instance 437,361 --> 65%
“Private” in the Fediverse is broken by design and one of the things that limits it is that a lot of people involved can’t make up their mind if they want to be visible or invisible.
This issue is really damning:<p>> Due to an implementation mistake, Pixelfed ignores this and allows anyone to follow even private accounts on other servers. When a legitimate user from a Pixelfed instance follows you on your locked fediverse account, anyone on that Pixelfed instance can read your private posts. You don’t need to be a Pixelfed user to be affected.<p>The fediverse is really not ready to be a serious alternative to anything with issues like this.<p>> I’m disappointed by how Pixelfed managed the vulnerability. From a project with (supposedly) more than 150k monthly active users and generous funding, expect better.<p>Do better with what resources? Pixelfed has around <$100K in funding and ~150k "users" using it and the author expects them to do more? Clearly they cannot and are not making money. So what did the author expect? They are not Meta Platforms Inc with billions of dollars and users.<p>But in other news the 44th President of the United States (Barack Obama) just signed up to Bluesky. Tells you all you need to know about where the users from X are going to and it is not the fediverse.