Spammers have registered hundreds of random 5 digit accounts on pixelfed.social by using the in-app registration APIs.

None of the accounts were able to verify email address or become active thanks to the magic app links.

I recommend disabling this with `PF_ALLOW_APP_REGISTRATION=false` until we put in place more rate limits to these endpoints.

2
Share
Share on Mastodon
Share on Twitter
Share on Facebook
Share on Linkedin
Jigme Datse

@dansup Thanks for letting us know. Not currently running a pixelfed instance, but knowing that there is work being done to handle this. Even the registration ends up being a pain to deal with when the volume is high. That's when they can't really even do anything with the accounts.

0
1y
hansenerd

@dansup i think i have some 10k new acc on .de. that's gonna be fun to clean up :D

1
1y
Replies