> Furthermore, many people are upset that Maven is leaking people’s DMs. This is like living in a house where you refuse to have a front door or curtains on your windows and then getting very upset when somebody wanders in and sits down in your living room or looks in from across the street. The fediverse, by design, has no privacy. DMs are public!

I think “DMs are public” is an exaggeration. Yes there are plenty of UX problems with it. No E2EE, which means the admin[s] of the instances involved in the conversation can read it if they want to, as well as other people getting easily added unintentionally to the mention-only conversation. I’ve come to accept these flaws and keep it in the threat model inside my mind. It’s just a janky email/IRC channel/unencrypted XMPP MUC.

What I didn’t expect is how in the world Maven was able to access those mention-only posts when they are not mentioned at all AFAIK nor the admin of hackers.town as shown here. The Mastodon software of the instance shouldn’t have allowed Maven to fetch the post. There’s clearly a security bug in Mastodon’s implementation at least, and Maven didn’t even acknowledge that.