Regarding the new @pixelfed Recovery service, @thisismissem pointed out that this could be a possible vector for abuse.
We're working on an even more advanced and abuse-resistant implementation!
That being said, I implemented some safeguards for the time being:
- Limited to accounts pixelfed.social knows
- Partial fuzzy matching
- Rate limited (5 reqs/min)
- Only pixelfed account results
- Access is limited to requests with a valid API key (which only our app has)
https://github.com/pixelfed/recovery/blob/main/app/Http/Controllers/ApiController.php