llfw
commented
10 months ago Mastodon doesn't provide an easy way to avoid this on the client side. logging in to the API requires creating an application, which takes client_name as a required parameter. this client name is also displayed to the user in the web UI when authorising the application, and in the list of authorised applications, so setting this to anything other than "toot" by default would create a confusing user experience.
Mastodon already provides functionality to hide the application name from other people at "Preferences > Other > [ ] Disclose application used to send posts", which is probably the right way for users to disable this behaviour.
igalic
ihabunek
All of every user’s posts include a JSON field “application” which tips off any potential adversaries what software the user is running. This needless disclosure can be used to plan an attack.
This also creates a doxxing vulnerability. It leaves fingerprints all over the place publicly, so if (for example) EdVargo@VargoCorp also has a pseudo-anonymous account PotHeadHipster@420.club, someone working for VargoCorp can put the two together & figure out that both accounts are by the same person. This actually happened to me. People are clever & toot is a rare client.
There’s also a social problem. I really do not want any github URLs in my messages. I oppose Github and I shame Microsoft. I’m here under protest & actually do not report many bugs on any projects for which the bug tracker is exclusively on a Microsoft asset.
Most users are likely unaware of this user agent disclosure. Thus the field should be omitted by default.