I just read the blog post from the person who discovered that Pixelfed was allowing users to follow private accounts on other servers. It covers not only how the bug was discovered, but the egregious mishandling of the whole affair. I hate to say it, but at this point I don't know how anyone is surprised by this sort of thing. The sole maintainer, Dansup, who has (I'm fairly sure) admitted that he didn't really know what he was doing when he started out by forking what was to become Pixelfed, is notorious for pushing contributors away from the project.

Certainly there's nothing wrong with learning as you go, but when you wind up with a user-base as large as Pixelfed's, and you accept funding for the project, you then have some responsibility for the safety of your users, and if you don't know what you're doing, a responsibility to find and work with people who do to that end. Also, learning that Pixelfed doesn't have federated blocking enabled is a scunner; it seems like such a basic safety feature.

I lost a lot of faith in Dansup when he backtracked on the fedipact. I lost more yet when he played the victim after the backlash. More still when he when he made threads federation a user option instead of properly honoring the fedipact. Then came his behavior on Mastodon, pushing out contributors and complaining about them publicly, and now this, which is not the first serious security issue Pixelfed has had. At this point I'm strongly considering deleting my account on any server that runs software made by Dansup.

It's a real shame because without Pixelfed there's definitely a missing piece in the fediverse. The format, a low-text image-focused platform for people who want to get away from the soapboxes that other social media platforms become, is a nice one.