Headline
Mastodon Vulnerability Allows Hackers to Hijack Any Decentralized Account
The decentralized social network Mastodon has disclosed a critical security flaw that enables malicious actors to impersonate and take over any account. “Due to insufficient origin validation in all Mastodon, attackers can impersonate and take over any remote account,” the maintainers said in a terse advisory. The vulnerability, tracked as CVE-2024-23832, has a severity rating of 9.4 out of
Vulnerability / Social Media
The decentralized social network Mastodon has disclosed a critical security flaw that enables malicious actors to impersonate and take over any account.
“Due to insufficient origin validation in all Mastodon, attackers can impersonate and take over any remote account,” the maintainers said in a terse advisory.
The vulnerability, tracked as CVE-2024-23832, has a severity rating of 9.4 out of a maximum of 10. Security researcher arcanicanis has been credited with discovering and reporting it.
It has been described as an “origin validation error” (CWE-346), which can typically allow an attacker to “access any functionality that is inadvertently accessible to the source.”
Every Mastodon version prior to 3.5.17 is vulnerable, as are 4.0.x versions before 4.0.13, 4.1.x versions before 4.1.13, and 4.2.x versions before 4.2.5.
Mastodon said it’s withholding additional technical specifics about the flaw until February 15, 2024, to give admins ample time to update the server instances and prevent the likelihood of exploitation.
“Any amount of detail would make it very easy to come up with an exploit,” it said.
The federated nature of the platform means that it runs on separate servers (aka instances), independently hosted and operated by respective administrators who create their own rules and regulations that are enforced locally.
This also means that not only each instance has a unique code of conduct, terms of service, privacy policy, and content moderation guidelines, but it also requires each administrator to apply security updates in a timely fashion to secure the instances against potential risks.
The disclosure arrives nearly seven months after Mastodon addressed two other critical flaws (CVE-2023-36460 and 2023-36459) that could have been weaponized by adversaries to cause denial-of-service (DoS) or achieve remote code execution.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
Categories: Personal Tags: tootroot Tags: mastodon Tags: server Tags: patch Tags: update Tags: CVE Tags: flaw Tags: vulnerability Tags: social media Tags: network Tags: networking We take a look at a collection of issues (now patched) which were affecting Mastodon servers. It's time to apply the fix for TootRoot. (Read more...) The post "TootRoot" Mastodon vulnerabilities fixed: Admins, patch now! appeared first on Malwarebytes Labs.
Mastodon, a popular decentralized social network, has released a security update to fix critical vulnerabilities that could expose millions of users to potential attacks. Mastodon is known for its federated model, consisting of thousands of separate servers called "instances," and it has over 14 million users across more than 20,000 instances. The most critical vulnerability, CVE-2023-36460,
Mastodon is a free, open-source social network server based on ActivityPub. When performing outgoing HTTP queries, Mastodon sets a timeout on individual read operations. Prior to versions 3.5.9, 4.0.5, and 4.1.3, a malicious server can indefinitely extend the duration of the response through slowloris-type attacks. This vulnerability can be used to keep all Mastodon workers busy for an extended duration of time, leading to the server becoming unresponsive. Versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this issue.