@fastidious@arrakis.netbros.com Privacy. When talking about the new peering and resolving phantom twts it dawned on me that it’s possible to exfiltrate all the feeds someone is following on a single-user yarnd, even though they disabled publicly showing of their following feeds in the settings. To make it even worse it’s already possible today using the /twt/hash endpoint. If you want to know if that person is subscribed to a certain feed, just pick a recent random twt from the feed in question, compute its hash and send it to the mentioned endoint. If you get back an HTTP 200, you know that the person is following the feed. When receiving HTTP 404 chances are that they may not. Now you do this for all the feeds you know, @xandkar@xandkar.net conveniently has some lists for you. :-) This attack does not work for multi-user yarnd instances, though. The thing is, /twt/hash just looks in its cache to reply with the twt. If the user is interacting with the feed (mentions it), it’s quite obvious and not a big deal. But read-only feeds are leaked that way. And of course the discover view will leak that information, too.