Remote user impersonation and takeover
github.com
external-link
### Summary Due to insufficient origin validation in all Mastodon, attackers can impersonate and take over any remote account. Every Mastodon version prior to 3.5.17 is vulnerable, as well as...

This advisory will be edited with more details on 2024/02/15, when admins have been given some time to update, as we think any amount of detail would make it very easy to come up with an exploit.

But the commit to fix insufficient origin validation is already visible right there in the repo?

losttourist
link
fedilink
311Y

Without a published POC there’s a slightly longer window before clueless script kiddies start having a go at exploiting the vulnerability, though.

Script kiddies aren’t the first ones to take advantage of vulns, threat actors are.

That doesn’t mean you shouldn’t try to contain the blast radius.

deleted by creator

private repo they commit to and build from

This isn’t possible with Ruby and Mastodon. The only way to distribute the patch is to reveal the changes to the source. FWIW, compiling the fix is still just an obfuscation method, one can still just diff the binaries and see what changed (see: reverse-engineering Windows vulnerabilities in updates).

At best, you can release it with a bunch of unrelated and obfuscating changes, but putting work into doing that is further delaying simply getting the fix released.

deleted by creator

Could you explain what you’re saying in common language?

Arthur Besse
creator
link
fedilink
23
edit-2
1Y

The lack of details in the advisory is only a minor impediment for a malicious person who wants to figure out how to implement their own exploit for this vulnerability. Anyone can read the patch that fixes it and figure it out.

TLDR: if you run your own instance, update it ASAP. If an instance you rely on hasn’t updated yet, consider asking its admins to do so. And if they don’t update it soon, you might want to reconsider your choice of instance.

And if they don’t update it soon, you might want to reconsider your choice of instance.

The advisory went up about 4h ago. About 3h ago, my instance admin sent out an announcement that the patch had been applied. That was before I even heard about the issue.

Nice work :)

Fembot
link
fedilink
1
edit-2
1Y

deleted by creator

not the person you’re replying to but yes, anyone on an unpatched server is vulnerable

hope for the best; plan for the worst

@cypherpunks Upgrading went smoothly.

Hmm, so if one is on iOS, the current version 2023.16, and is vulnerable. Take note apple / mac folx.

Arthur Besse
creator
link
fedilink
201Y

No, this is a server-side vulnerability. Clients do not need to update, instances do.

TY!

Fembot
link
fedilink
1
edit-2
1Y

deleted by creator

A community dedicated to fediverse news and discussion.

Fediverse is a portmanteau of “federation” and “universe”.

Getting started on Fediverse;

  • 0 users online
  • 3 users / day
  • 3 users / week
  • 64 users / month
  • 301 users / 6 months
  • 1 subscriber
  • 1.02K Posts
  • 13.6K Comments
  • Modlog