Is this mastodon specific or is it an activitypub flaw?
Mastodon security update: every version prior to today's is vulnerable to remote user impersonation and takeover
Submitted 9 months ago by otter@lemmy.ca to fediverse@lemmy.world
https://github.com/mastodon/mastodon/security/advisories/GHSA-3fjr-858r-92rw
Comments
NOT_RICK@lemmy.world 9 months ago
Zak@lemmy.world 9 months ago
we think any amount of detail would make it very easy to come up with an exploit
People who would create exploits for this definitely can’t read the diffs and see what changed.
KazuyaDarklight@lemmy.world 9 months ago
Every barrier that slows down attacks a little is worth it when you are trying to buy time so people can apply emergency updates.
xor@infosec.pub 9 months ago
they’re just delaying it by two weeks…
mozz@mbin.grits.dev 9 months ago
Depends on skill level and the exact nature of the flaw. There's definitely going to be a nonzero number of malicious people who lie in the middle distance "I can come up with a way to exploit flaws if I have a detailed trail of breadcrumbs" and "I can't be bothered to do an unlimited amount of work to track down how to do this, I have other malicious things on my schedule for today."
aeharding@lemmy.world 9 months ago
😬
oDDmON@lemmy.world 9 months ago
That’s not good.
A_A@lemmy.world 9 months ago
That isn’t inversely not un_good, not.
aciDC14@lemmy.world 9 months ago
That’s bad.
BiggestBulb@kbin.run 9 months ago
Welp. I'm glad Stux was already updating earlier. Honestly, Stux probably knew before just about everyone else
hperrin@lemmy.world 9 months ago
Thanks for the notice. My instance is now updated. :)
jonne@infosec.pub 9 months ago
I wonder if the companies that forked mastodon (like truth social) will bother to update. I can see someone posting stuff as a former president with this flaw.
shnizmuffin@lemmy.inbutts.lol 9 months ago
Image
roguetrick@kbin.social 9 months ago
Eh, stuff like truth social doesn't federate with anything anyway, so unfortunately this isn't a vulnerability for them.
jonne@infosec.pub 9 months ago
Has it been confirmed this is a federation bug?