Mastodon security update: every version prior to today's is vulnerable to remote user impersonation and takeover
Mastodon security update: every version prior to today's is vulnerable to remote user impersonation and takeover
### Summary Due to insufficient origin validation in all Mastodon, attackers can impersonate and take over any remote account. Every Mastodon version prior to 3.5.17 is vulnerable, as well as...
This advisory will be edited with more details on 2024/02/15, when admins have been given some time to update, as we think any amount of detail would make it very easy to come up with an exploit.
But the commit to fix insufficient origin validation is already visible right there in the repo?
Could you explain what you're saying in common language?
The lack of details in the advisory is only a minor impediment for a malicious person who wants to figure out how to implement their own exploit for this vulnerability. Anyone can read the patch that fixes it and figure it out.
TLDR: if you run your own instance, update it ASAP. If an instance you rely on hasn't updated yet, consider asking its admins to do so. And if they don't update it soon, you might want to reconsider your choice of instance.
hope for the best; plan for the worst
@cypherpunks Upgrading went smoothly.
@cypherpunks Anyone know how we can tell if our servers have been updated yet (for instance, this one)?
Hmm, so if one is on iOS, the current version 2023.16, and is vulnerable. Take note apple / mac folx.
No, this is a server-side vulnerability. Clients do not need to update, instances do.
TY!