Oh, great. #Pixelfed had a broken implementation of "follower-only" posts, _and_ fucked up the disclosure / bugfix release process.
https://fokus.cool/2025/03/25/pixelfed-vulnerability.html
Summary of the bug: If you have a protected account (on Pixelfed, Mastodon, GTS, whatever) and a Pixelfed user followed you and got approved by you, _all_ users on that instance were now able to see your followers-only posts, not just the one you approved.
This also highlights an ActivityPub issue: If you approve someone's follow request, you're technically not granting that _user_ access, you giving their _instance_ access to your protected posts. And it's then up to that instance to behave in the correct way and only show your protected posts to those users you have actually accepted.
Sure, from a technical standpoint this might be obvious, but it can still be somewhat counterintuitive.
If you have a fediverse account, you can quote this note from your own instance. Search https://chaos.social/users/scy/statuses/114225451507441800 on your instance and quote it. (Note that quoting is not supported in Mastodon.)
