(security) the user agent is disclosed in the “application” field of every post #362
Comments
|
Mastodon doesn't provide an easy way to avoid this on the client side. logging in to the API requires creating an application, which takes Mastodon already provides functionality to hide the application name from other people at "Preferences > Other > [ ] Disclose application used to send posts", which is probably the right way for users to disable this behaviour. |
|
I always thought that's an advertising feature, so people can see what client you are using, to quickly spread new clients even if you don't like the feature, calling it a security issue seems mildly overblown |
I believe this should fix the problem outlined in the issue. Thanks @lexiwinter |
All of every user’s posts include a JSON field “application” which tips off any potential adversaries what software the user is running. This needless disclosure can be used to plan an attack.
This also creates a doxxing vulnerability. It leaves fingerprints all over the place publicly, so if (for example) EdVargo@VargoCorp also has a pseudo-anonymous account [email protected], someone working for VargoCorp can put the two together & figure out that both accounts are by the same person. This actually happened to me. People are clever & toot is a rare client.
There’s also a social problem. I really do not want any github URLs in my messages. I oppose Github and I shame Microsoft. I’m here under protest & actually do not report many bugs on any projects for which the bug tracker is exclusively on a Microsoft asset.
Most users are likely unaware of this user agent disclosure. Thus the field should be omitted by default.
The text was updated successfully, but these errors were encountered: