⚠️ Publishing our company podcast today I found an information leaking bug in @Castopod. I've already informed the authors via their security contact.
Because this leaks information now and maybe has already in the past I've published this bug shortly after the information to the authors. In short, consider all information send to a Castopod instance as public even if you set the visibility of your post to private for example in mastodon.
Short write up: https://leah.is/notes/private-message-leak-in-castopod/
No reaction to my security report for over a week now. Therefore I would consider @Castopod not under current development or security maintenance anymore. The last public commit is also more than two months old. Sad :(
@Castopod sorry! Aggressive? Wow. Yes as I learned now they answered from an instance that is widely blocked on the fediverse and you didn't answer from your security mail address you documented on your site at all. Don't be surprised that this doesn't let you appear in the best light. But I'm happy to hear that they will work on it.