Heads up, Tootdon users!
It has been discovered that Tootdon silently forwards copies of posts you interact as well as the auth token to your account to its to own servers.
https://mastodon.social/@kjwon15/99757268648426867
https://mastodon.social/@slipstream/99758520139922701
Consider replacing it with an open-source Masto app like Mastalab or SubwayTooter.
Make sure you also revoke Tootdon from your Authorized Apps in Preferences.
For folks here on Monsterpit:
https://monsterpit.net/oauth/authorized_applications
@daggertooth Any suggestions for a replacement on #iOS?
@sheogorath @daggertooth Amaroq awesome app by John Gabelmann ๐
https://itunes.apple.com/it/app/amaroq-for-mastodon/id1214116200?mt=8
@daggertooth fyi you can block tootdon.ooo in /etc/hosts.deny too to guarantee they hit you with any kind of authentication on their server in case they do any automated grabbing of stuff
@slimepunk you might wanna consider switching to mastalab full time -v-;;
@puppy ah
yes thank u
@daggertooth Tootdon is an iOS app. Mastalab and Subway Tooter are Android apps. Is there useful overlap?
Tootdon has an app for both platforms.
I don't have an Apple device, so my suggestions are Android-centric with the hope that iOS folks will follow up suggestions for their platform.
@DialMforMara @daggertooth Amaroq is an open source app for iOS and my personal choice. It works relatively fine.
@julianruf @DialMforMara @daggertooth Amaroq and Twidere aren't native for iPad. Oyakodon crashes if my instance is down.
@daggertooth I tooted a bit about this a short bit ago:
https://freeradical.zone/@PresGas/99759145588718565
I have been pretty happy with #progressivewebapps
@daggertooth
"the app indexes only public toots for search function. If you deleted your toot on tootdon, it will be deleted on the search index too. Toots older than one month will be deleted from the search index."
@daggertooth Thanks for the heads-up on this. i was about to download this for iOS and will now revisit that decision.
@daggertooth mayb tag this with #Tootdon
@daggertooth thanks for the heads up!
@daggertooth @phessler Am I the only one using #twidere?
It's still on the list of apps[0], imo it should proooobably be removed
[0]:https://github.com/tootsuite/documentation/blob/master/Using-Mastodon/Apps.md
Yesterday evening I revamped that page. It is now 100% clear what is open source and what is proprietary.
@Gargron only needs to approve and merge the pull request.
@daggertooth I asked Tsukurito (the dev) support, and this was the reply. I'm happy to accept the uses are benign, though informing users first would definitely be good.
--
The app indexes only public toots for search function. If you deleted your toot on tootdon, it will be deleted on the search index as well. Toots older than one month will be deleted from the search index.
We also use OAuth token to send push notifications when the user received mentions, boosts and favourites.
@porsupah @daggertooth That push notification thing should absolutely be an opt-in thing with full disclosure. Like this:
[ ] Enable push notifications (requires giving our servers full access to your account)
@daggertooth oh dear. is it true? does anyone know who's behind Tootdon and why they would want to do this?
@daggertooth Thanks for also mentioning to revoke it from the authorized. I deleted the app from my phone, but didn't think of the authorisation I gave to it.
@daggertooth Amaroq is ethical, too.
(context: https://monsterpit.net/@daggertooth/99758674665873612)
@tootdon's response:
https://mstdn.jp/@tootdon/99759644880024717
(https://lgbt.io/@porsupah/99760874124551290)
If this is the case, that information needs to be in the app's extended description and informed consent asked of the user before they even add an account.
Users *absolutely* must be able to know about and consent to giving external services access to their data.
If someone were to compromise the servers with which the auth tokens are being shared, they'd have full access to your users' accounts!
Companies and developers like this make me wanna quit working in technology. ๐
ใใฎใใใชไผๆฅญใ้็บ่ ใฏใ็งใๆ่กๅ้ใงใฎไปไบใใใใใ
๐ @seanl these tootdon revelations remind me of what we were talking about the other day and how there are currently no special protections, even through terms of use, for mastodon users against data mining
@sireebob If it's possible to detect that a post has been sent there it should be possible to tell which users are using it and ban them if it comes to that (after the education campaign fails of course).
@sireebob Perhaps we need free software licenses that are even more restrictive than the AGPL, prohibiting even interacting with a server using a closed source application.
@seanl I *thought* AGPL already covered that case. Am I mistaken?
@daggertooth great to know, thanks.
I've switched back to Amaroq, but honestly the mobile interface isn't odious at all.
@daggertooth so they're stealing auth tokens. How is that not illegal
@daggertooth
I use mastalab and it's pretty great!
Thoughts on this, @Gargron? I feel this is something you should tell to new users (and users in general).
Maybe we should allow admins to ban certain applications? (To preserve user privacy or else)
@daggertooth I like Tusky much more than Mastalab, just FYI to anyone reading this thread
@daggertooth Thanks for that.
@daggertooth Well, that's something I didn't know! Thanks for the heads up!