Lemdro.id

2,403 readers
17 users here now

Our Mission 🚀

Lemdro.id strives to be a fully open source instance with incredible transparency. Visit our GitHub for the nuts and bolts that make this instance soar and our Matrix Space to chat with our team and access the read-only backroom admin chat.

Community Guidelines

We believe in maintaining a respectful and inclusive environment for all members. We encourage open discussion, but we do not tolerate spam, harassment, or disrespectful behaviour. Let's keep it civil!

Get Involved

Are you an experienced moderator, interested in bringing your subreddit to the Fediverse, or a Lemmy app developer looking for a home community? We'd be happy to host you! Get in touch!

Quick Links

Lemdro.id Interfaces 🪟

Our Communities 🌐

Lemmy App List 📱

See thread

Chat and More 💬

Instance Updates

!lemdroid@lemdro.id

founded 2 years ago

ADMINS

cole

ijeff

Paradox

Authorized Fetch Circumvented by Alt-Right Developers (wedistribute.org)

submitted 2 years ago by btp@kbin.social to c/privacy@lemmy.ml

1 comments fedilink

A controversial developer circumvented one of Mastodon's primary tools for blocking bad actors, all so that his servers could connect to Threads.

We’ve criticized the security and privacy mechanisms of Mastodon in the past, but this new development should be eye-opening. Alex Gleason, the former Truth Social developer behind Soapbox and Rebased, has come up with a sneaky workaround to how Authorized Fetch functions: if your domain is blocked for a fetch, just sign it with a different domain name instead.

Gleason was originally investigating Threads federation to determine whether or not a failure to fetch posts indicated a software compatibility issue, or if Threads had blocked his server. After checking some logs and experimenting, he came to a conclusion.

“Fellas,” Gleason writes, “I think threads.net might be blocking some servers already.”

What Alex found was that Threads attempts to verify domain names before allowing access to a resource, a very similar approach to what Authorized Fetch does in Mastodon.

You can see Threads fetching your own server by looking at the facebookexternalua user agent. Try this command on your server:

grep facebookexternalua /var/log/nginx/access.log

If you see logs there, that means Threads is attempting to verify your signatures and allow you to access their data.

Authorized Fetch Circumvented by Alt-Right Developers (wedistribute.org)

submitted 2 years ago by deadsuperhero@kbin.social to c/fediverse@kbin.social

0 comments fedilink

Authorized Fetch (also referred to as Secure Mode in Mastodon) was recently circumvented by a stupidly easy solution: just sign your fetch requests with some other domain name.

174

Authorized Fetch Circumvented by Alt-Right Developers (wedistribute.org)

submitted 2 years ago by deadsuperhero@lemmy.world to c/fediverse@lemmy.world

73 comments fedilink

Authorized Fetch (also referred to as Secure Mode in Mastodon) was recently circumvented by a stupidly easy solution: just sign your fetch requests with some other domain name.

Authorized Fetch Circumvented by Alt-Right Developers (wedistribute.org)

submitted 2 years ago by deadsuperhero@lemmy.ml to c/fediverse@lemmy.ml

11 comments fedilink

Authorized Fetch (also referred to as Secure Mode in Mastodon) was recently circumvented by a stupidly easy solution: just sign your fetch requests with some other domain name.