Open Menu
AllLocalCommunitiesAbout
lotide
AllLocalCommunitiesAbout
Login

Mastodon security update: every version prior to today's is vulnerable to remote user impersonation and takeover

⁨257⁩ ⁨likes⁩

Submitted ⁨⁨11⁩ ⁨months⁩ ago⁩ by ⁨otter@lemmy.ca⁩ to ⁨fediverse@lemmy.world⁩

https://github.com/mastodon/mastodon/security/advisories/GHSA-3fjr-858r-92rw

source

Comments

Sort:hotnewtop
  • jonne@infosec.pub ⁨11⁩ ⁨months⁩ ago

    I wonder if the companies that forked mastodon (like truth social) will bother to update. I can see someone posting stuff as a former president with this flaw.

    source
    • shnizmuffin@lemmy.inbutts.lol ⁨11⁩ ⁨months⁩ ago

      Image

      source
    • roguetrick@kbin.social ⁨11⁩ ⁨months⁩ ago

      Eh, stuff like truth social doesn't federate with anything anyway, so unfortunately this isn't a vulnerability for them.

      source
      • jonne@infosec.pub ⁨11⁩ ⁨months⁩ ago

        Has it been confirmed this is a federation bug?

        source
        • -> View More Comments
  • NOT_RICK@lemmy.world ⁨11⁩ ⁨months⁩ ago

    Is this mastodon specific or is it an activitypub flaw?

    source
  • Zak@lemmy.world ⁨11⁩ ⁨months⁩ ago

    we think any amount of detail would make it very easy to come up with an exploit

    People who would create exploits for this definitely can’t read the diffs and see what changed.

    source
    • KazuyaDarklight@lemmy.world ⁨11⁩ ⁨months⁩ ago

      Every barrier that slows down attacks a little is worth it when you are trying to buy time so people can apply emergency updates.

      source
    • xor@infosec.pub ⁨11⁩ ⁨months⁩ ago

      they’re just delaying it by two weeks…

      source
    • mozz@mbin.grits.dev ⁨11⁩ ⁨months⁩ ago

      Depends on skill level and the exact nature of the flaw. There's definitely going to be a nonzero number of malicious people who lie in the middle distance "I can come up with a way to exploit flaws if I have a detailed trail of breadcrumbs" and "I can't be bothered to do an unlimited amount of work to track down how to do this, I have other malicious things on my schedule for today."

      source
  • aeharding@lemmy.world ⁨11⁩ ⁨months⁩ ago

    😬

    source
  • oDDmON@lemmy.world ⁨11⁩ ⁨months⁩ ago

    That’s not good.

    source
    • A_A@lemmy.world ⁨11⁩ ⁨months⁩ ago

      That isn’t inversely not un_good, not.

      source
  • aciDC14@lemmy.world ⁨11⁩ ⁨months⁩ ago

    That’s bad.

    source
  • BiggestBulb@kbin.run ⁨11⁩ ⁨months⁩ ago

    Welp. I'm glad Stux was already updating earlier. Honestly, Stux probably knew before just about everyone else

    source
  • hperrin@lemmy.world ⁨11⁩ ⁨months⁩ ago

    Thanks for the notice. My instance is now updated. :)

    source