Dear #VulpineClub :

This is an important message about a critical information disclosure bug in Mastodon.

tl;dr: Followers-only posts may be disclosed to unintended parties, and there is no fix yet.

Long version:
The "Relationships" page ( allows members to remove followers, and it does this by sending a Reject Follow message to the remote instance. The remote instance is supposed to remove the follower when it receives this message.

Since October 2019, Mastodon instances have not properly handled this Reject Follow message. The upshot of this is that if you used /relationships to remove a follower on a Mastodon instance, the unfollow didn't actually happen. This means that followers-only posts may be disclosed to unintended parties.

Furthermore, this fix has to be applied to every Mastodon instance on the Fediverse before this problem stops getting worse. Also, there is currently no known way to fix this problem, because no record is kept of Reject Follow messages.

The investigation into this is still in its early stages. We will be keeping an eye on the issue ( to determine the best way to clean this up.



@rey The actual PR that fixes this is here:

(Was somewhat puzled at first since the issue you linked to doesn't actually mention the bug itself.)

@galaxis this fixes the cause of the issue, but doesn't do cleanup of the actual problem :<

@rey @galaxis yeah, that PR is only the "stop making it worse", and does not include "start making it right"

@riking @rey True, though on the other hand the "start making it right" issue seems to be in the early stages of starting (and may well need some kind of protocol extension and collaboration between the various implementations).

I'm not going to hold my breath.

Sign in to participate in the conversation
INFRa Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!