This is a disastrous bug in my eyes. They don’t give much information: Remote user impersonation and takeover · Advisory · mastodon/mastodon · GitHub
but I thought I’d bring it up here in case it’s ActivityPub /protocol related and hence might affect Akkoma too?
This seems important. Is the akkoma project abandoned? (I dont mean to be harsh.)
Akkoma is not abandoned, last commit to develop was last week.
I think it’s more a question of whether anyone knows what the exact problem was on Mastodon and can reproduce this behaviour on Akkoma or not. I just checked pleroma PR’s, just in case they found something, but I’m not seeing anything referencing this. On Mastodon, I believe this is the MR who fixed the problem Merge pull request from GHSA-3fjr-858r-92rw · mastodon/mastodon@a6641f8 · GitHub
and i as i read your reply, @ilja , it occurs to me that it’s important to note that this may not be an activity pub problem at all; it may be a mastodon problem … which would make it kinda irrelevant to akkoma.
still, i am sure the devs can reach out to the mastodon team privately and determine whether this is something they need to be concerned about. that we have seen nothing here doesn’t mean no one has it on their radar.