A controversial developer circumvented one of Mastodon's primary tools for blocking bad actors, all so that his servers could connect to Threads.

Authorized Fetch (also referred to as Secure Mode in Mastodon) was recently circumvented by a stupidly easy solution: just sign your fetch requests with some other domain name.

  • sj_zero@lotide.fbxl.net
    61·
    6 months ago

    Seriously. Bobthenazi could just go to an aligned server and make an account Bobthenotzi and boom – perfectly able to follow whoever he wants.

    • rglullis@communick.newsEnglish
      4·
      6 months ago

      One more reason to argue that we should drop the idea of “aligned” servers and that we are moving to a future where it is better to charge (small) amounts from everyone instead of depending on (large) donations from a few.

      • sj_zero@lotide.fbxl.net
        41·
        6 months ago

        Ideally, a distributed fediverse wouldn’t need much in terms of donations because it’s a bunch of small instances instead of a few huge ones.

        • rglullis@communick.newsEnglish
          3·
          6 months ago

          Not the point. The point that instances that are open for everyone will be open for bad actors as well.

          If the mere act of signing up to an instance requires a small payment, you are automatically preventing the absolute majority of spammers, “spray and pray” scammers and channer trolls.