262
Mastodon security update: every version prior to today's is vulnerable to remote user impersonation and takeover (github.com)
submitted 10 months ago* (last edited 10 months ago) by otter@lemmy.ca to c/fediverse@lemmy.world
18 comments fedilink hide all child comments

If your instance is not up to date (see footer), you can pass this along to your admins to check

top 18 comments
sorted by: hot top controversial new old
[-] jonne@infosec.pub 65 points 10 months ago

I wonder if the companies that forked mastodon (like truth social) will bother to update. I can see someone posting stuff as a former president with this flaw.

[-] roguetrick@kbin.social 25 points 10 months ago

Eh, stuff like truth social doesn't federate with anything anyway, so unfortunately this isn't a vulnerability for them.

[-] jonne@infosec.pub 10 points 10 months ago

Has it been confirmed this is a federation bug?

[-] skullgiver@popplesburger.hilciferous.nl 25 points 10 months ago

Has it been confirmed this is a federation bug?

Based on this commit, which fixes the vulnerability, the bug seems to lie within the ActivityPub receive logic, specifically validation of remote resources.

[-] jonne@infosec.pub 5 points 10 months ago

Oh great, thanks.

[-] NOT_RICK@lemmy.world 37 points 10 months ago

Is this mastodon specific or is it an activitypub flaw?

[-] skullgiver@popplesburger.hilciferous.nl 16 points 10 months ago

Mastodon only, and even then only on federated instances.

[-] Zak@lemmy.world 31 points 10 months ago

we think any amount of detail would make it very easy to come up with an exploit

People who would create exploits for this definitely can't read the diffs and see what changed.

[-] KazuyaDarklight@lemmy.world 26 points 10 months ago* (last edited 10 months ago)

Every barrier that slows down attacks a little is worth it when you are trying to buy time so people can apply emergency updates. It's not about stopping them from ever figuring it out.

[-] xor@infosec.pub 13 points 10 months ago

they're just delaying it by two weeks...

[-] mozz@mbin.grits.dev 11 points 10 months ago

Depends on skill level and the exact nature of the flaw. There's definitely going to be a nonzero number of malicious people who lie in the middle distance "I can come up with a way to exploit flaws if I have a detailed trail of breadcrumbs" and "I can't be bothered to do an unlimited amount of work to track down how to do this, I have other malicious things on my schedule for today."

[-] aeharding@lemmy.world 13 points 10 months ago

đŸ˜¬

[-] oDDmON@lemmy.world 11 points 10 months ago

That’s not good.

[-] A_A@lemmy.world 5 points 10 months ago

That isn't inversely not un_good, not.

[-] aciDC14@lemmy.world 8 points 10 months ago

That’s bad.

[-] BiggestBulb@kbin.run 5 points 10 months ago

Welp. I'm glad Stux was already updating earlier. Honestly, Stux probably knew before just about everyone else

[-] hperrin@lemmy.world 4 points 10 months ago

Thanks for the notice. My instance is now updated. :)

this post was submitted on 01 Feb 2024
262 points (100.0% liked)

Fediverse

28737 readers
297 users here now

A community to talk about the Fediverse and all it's related services using ActivityPub (Mastodon, Lemmy, KBin, etc).

If you wanted to get help with moderating your own community then head over to !moderators@lemmy.world!

Rules

Learn more at these websites: Join The Fediverse Wiki, Fediverse.info, Wikipedia Page, The Federation Info (Stats), FediDB (Stats), Sub Rehab (Reddit Migration), Search Lemmy

founded 2 years ago
MODERATORS
ruud@lemmy.world
Xylinna@lemmy.world
MrCenny@lemmy.world
TragicNotCute@lemmy.world
automodbeta@lemmy.world
woelkchen@lemmy.world