...I don't think I'll get any sleep.

This tootdon thing...

Fuck you, MobiRocket Inc. of Burlingame, California.

...one search later, I find out Burlingame is "located on the San Francisco Peninsula".

That explains quite a lot...


@tinker basically, it communicates with a server hosted in the US, where it sends at least:

- every public toot seen by the app
- every OAuth token of its users

· · Web · 0 · 9 · 4

@jerry @slipstream @tinker

I think I called this one two days ago, didn't I?

Even if *your* mastodon client does not allow you to do certain things, anyone can use the Mastodon API to track password, tokens, "private" conversations.


@deeds @tinker @slipstream @jerry

appreciate the heads up

this is part of why I was reluctant to start using a Masto client at all, I use the mobile interface

@slipstream - Well that sucks. Guess I’ll delete it now.

@tinker @slipstream amaroq seems pretty stable, and the mastodon PWA is also pretty good.

@ajroach42 @slipstream @tinker I just wish Amaroq on iOS could consistently post images. Every time I try I get an error. Finally just switched to Pawoo on iOS. Just revoked Tootdon access and deleted it.

@kyleejohnson @ajroach42 @slipstream @tinker the amaroq dev hopes to get an update out soon that fixes this and other things

@tinker Don't forget to revoke it from your authorized apps, too.

@slipstream @tinker I actually don't personally care about it archiving public toots, but the OAuth tokens? I am having a very difficult time comig up with a reason that would not be malicious.

@varx @slipstream @tinker

Re: OAuth tokens. Thinking about it like a tool developer: Say if you are developing a distributed scraper say for loadbalancing, you don't want to bother the user to submit a new auth code every time you switch to a new worker.

So now, where do you store the access token? A centralized server?

But yes, no one prevents you to have a range of different clients under the same client id/secret -- so you can re-use the token.

@varx @slipstream @tinker

I am waiting for involuntary scam toots of my friends to come and haunt me.

I personally would discourage from entering your password into any client you did not write yourself. Otherwise sooner or later a toxic app taking control of your account.

(I swear I am a nice person who would never do such a thing)

@deeds @slipstream @tinker Word has it they use the token for push notifications:


but I haven't yet seen evidence that they're getting informed consent from users on this.

@deeds @slipstream @tinker (Also can I just reiterate how much I hate phones? Real computers don't need to hand their credentials to random servers in order to drive notifications.)

Sign in to participate in the conversation

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!