Security
Headlines
HeadlinesLatestCVEs

Headline

"TootRoot" Mastodon vulnerabilities fixed: Admins, patch now!

Categories: Personal Tags: tootroot

Tags: mastodon

Tags: server

Tags: patch

Tags: update

Tags: CVE

Tags: flaw

Tags: vulnerability

Tags: social media

Tags: network

Tags: networking

We take a look at a collection of issues (now patched) which were affecting Mastodon servers. It’s time to apply the fix for TootRoot.

(Read more…)

The post “TootRoot” Mastodon vulnerabilities fixed: Admins, patch now! appeared first on Malwarebytes Labs.

Malwarebytes
#xss#vulnerability#web#dos#rce

One of Twitter’s big rivals, Mastodon, recently finished fixing four issues which (in the worst case) allowed for the creation of files on the instance’s server. Mastodon, whose main selling point is lots of separate communities living on different servers yet still able to communicate, was notified of the flaws by auditors from a penetration testing company.

CVE-2023-36460 is the aforementioned “worst case”, dubbed TootRoot. If you’re not familiar with Mastodon, user posts are called “Toots” (as opposed to tweets if you’re on Twitter). As with Twitter, you’re able to post media files and this is where the problem resided.

According to Bleeping Computer, an issue with Mastodon’s media processing code meant a wide variety of problems could happen as a result. Denial of Service and arbitrary remote code execution are mentioned, with researcher Kevin Beaumont focusing on how webshells could be created on instances processing the rogue Toot.

The other vulnerabilities included cross-site scripting (XSS), potentially used to hijack accounts or impersonate others (CVE-2023-36459), and a technique used for phishing through “verified profile links” (CVE-2023-36462). The final flaw allowed for Denial of Service (DoS) through slow HTTP responses (CVE-2023-36461).

As the patches are server updates, it’s essential that Mastodon admins set about securing their servers. The various issues were fixed in Mastodon versions 3.5.9, 4.0.5, and 4.1.3. Until you update, anything above Mastodon version 3.5.0 could be at risk.

Mastodon allows for the creation of many small (typically invite only) communities catering to all manner of interests and activities. There is a possibility that any security issue on such a platform could lead to specific forms of targeted harassment of at-risk communities.

Indeed, even the Mastodon instances populated by security folks aren’t exactly out of harm’s reach. Back in November of last year, someone discovered a way to steal passwords through an HTML injection vulnerability. Unfortunately for the good folks of Infosec Exchange, the vulnerability happened to affect the Glitch fork being used by…you’ve guessed it…Infosec Exchange. As a humorous side note, the issue was discovered due to people putting a “verified” icon in their username as a dig at Twitter.

Elsewhere, a misconfigured server was found to be scraping Mastodon user data. While the data scraped was nothing spectacular, instead including things like account and display name alongside profile pictures, it was a valuable reminder to be careful about what you post online.

Thankfully lots of Mastodon admins take these risks seriously, and most major instances should already be running the required patches for the various issues which have been found over time. If you’re looking to make the leap to Mastodon yourself, you should check out our guide which leads you through everything from account creation and server sign up to posting. Happy Tooting!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Related news

Mastodon Vulnerability Allows Hackers to Hijack Any Decentralized Account

The decentralized social network Mastodon has disclosed a critical security flaw that enables malicious actors to impersonate and take over any account. "Due to insufficient origin validation in all Mastodon, attackers can impersonate and take over any remote account," the maintainers said in a terse advisory. The vulnerability, tracked as CVE-2024-23832, has a severity rating of 9.4 out of

Mastodon Social Network Patches Critical Flaws Allowing Server Takeover

Mastodon, a popular decentralized social network, has released a security update to fix critical vulnerabilities that could expose millions of users to potential attacks. Mastodon is known for its federated model, consisting of thousands of separate servers called "instances," and it has over 14 million users across more than 20,000 instances. The most critical vulnerability, CVE-2023-36460,

Mastodon Social Network Patches Critical Flaws Allowing Server Takeover

Mastodon, a popular decentralized social network, has released a security update to fix critical vulnerabilities that could expose millions of users to potential attacks. Mastodon is known for its federated model, consisting of thousands of separate servers called "instances," and it has over 14 million users across more than 20,000 instances. The most critical vulnerability, CVE-2023-36460,

CVE-2023-36462: Merge pull request from GHSA-55j9-c3mp-6fcq · mastodon/mastodon@610731b

Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 2.6.0 and prior to versions 3.5.9, 4.0.5, and 4.1.3, an attacker can craft a verified profile link using specific formatting to conceal arbitrary parts of the link, enabling it to appear to link to a different URL altogether. The link is visually misleading, but clicking on it will reveal the actual link. This can still be used for phishing, though, similar to IDN homograph attacks. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.

CVE-2023-36461: Release v3.5.9 · mastodon/mastodon

Mastodon is a free, open-source social network server based on ActivityPub. When performing outgoing HTTP queries, Mastodon sets a timeout on individual read operations. Prior to versions 3.5.9, 4.0.5, and 4.1.3, a malicious server can indefinitely extend the duration of the response through slowloris-type attacks. This vulnerability can be used to keep all Mastodon workers busy for an extended duration of time, leading to the server becoming unresponsive. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.

CVE-2023-36461: Release v3.5.9 · mastodon/mastodon

Mastodon is a free, open-source social network server based on ActivityPub. When performing outgoing HTTP queries, Mastodon sets a timeout on individual read operations. Prior to versions 3.5.9, 4.0.5, and 4.1.3, a malicious server can indefinitely extend the duration of the response through slowloris-type attacks. This vulnerability can be used to keep all Mastodon workers busy for an extended duration of time, leading to the server becoming unresponsive. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.

CVE-2023-36461: Release v3.5.9 · mastodon/mastodon

Mastodon is a free, open-source social network server based on ActivityPub. When performing outgoing HTTP queries, Mastodon sets a timeout on individual read operations. Prior to versions 3.5.9, 4.0.5, and 4.1.3, a malicious server can indefinitely extend the duration of the response through slowloris-type attacks. This vulnerability can be used to keep all Mastodon workers busy for an extended duration of time, leading to the server becoming unresponsive. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.

CVE-2023-36461: Release v3.5.9 · mastodon/mastodon

Mastodon is a free, open-source social network server based on ActivityPub. When performing outgoing HTTP queries, Mastodon sets a timeout on individual read operations. Prior to versions 3.5.9, 4.0.5, and 4.1.3, a malicious server can indefinitely extend the duration of the response through slowloris-type attacks. This vulnerability can be used to keep all Mastodon workers busy for an extended duration of time, leading to the server becoming unresponsive. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.

Malwarebytes: Latest News

“Sad announcement” email leads to tech support scam