I’m disappointed by how Pixelfed managed the vulnerability. From a project with (supposedly) more than 150k monthly active users3 and generous funding4567 I expect better.
This is not the first incident of Pixelfed handling security matters poorly. A similar situation unfolded a few months ago, when a bug8 left hundreds of instances vulnerable which apparently resulted in stolen S3 API keys.9 At time of writing, there is also a three years old GitHub issue that reports 2FA being broken
I have made this point before, mastodon and friends have a protocol problem (so does bsky), not anything application specific. Activity pub not being able to work with hostile clients always means that anyone can create an application that violates the assumptions users take for granted. They are not designed for privacy, only federation (not easily there too). At least Instagram can have uniform clients for users that can keep promises made.
These incidents always remind of bsky bridge and mastodon (and friends) drama with the masto users not understanding their posts are not private at all outside of a pinky promise official clients make.
It is the same issues everywhere across decentralized and/or federated services, how do you ensure a uniform and consistent experience across clients that may choose to not follow rules you ask to enforce via policy but are not verified at protocol level.