Remote follow prompts for username and password
Environment
Mine
- Installation type (OTP or From Source): OTP
- Pleroma version: 2.2.2
- Elixir version: N/A
- Operating system: Ubuntu 20.04
- PostgreSQL version: psql (PostgreSQL) 12.5 (Ubuntu 12.5-0ubuntu0.20.04.1)
shitposter.club
- Installation type: Source
- Pleroma version: 2.0.50-5257-g31793d08-shitposterclub+dev
- Elixir version: ???
- Operating system: ???
- PostgreSQL version: ???
Bug description
On both my fresh 2.2.2 OTP install and shitposter.club clicking "follow" on a mastodon user, entering your pleroma id, and being taken to .../ostatus_subscribe?acct=
will prompt you for username and password. This is a nuisance but also a phishing vulnerability.
This seems potentially related to #804 (closed) however unlike the behavior demonstrated here: https://youtu.be/JTaU9BoVx40 navigating directly to the ostatus_subscribe url will not prevent the prompt for username and password.
Edited by Ademan