Authorized Fetch (also referred to as Secure Mode in Mastodon) was recently circumvented by a stupidly easy solution: just sign your fetch requests with some other domain name.

  • poVoq@slrpnk.net
    link
    fedilink
    arrow-up
    0
    ·
    11 months ago

    Why would they fix it?

    Fixing this in general is not so easy as ActivityPub wasn’t designed to prevent such things and AFAIK without some fundamental changes like proposed in Spritely or implemented in the Zot protocol it can’t really prevent this from happening.