Public
- Public
- Network
- Groups
- Featured
- Popular
- People

Conversation

Notices

Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Friday, 26-May-2023 05:47:32 JST Alex Gleason

location /api/pleroma/admin { return 403; }
location /api/v1/pleroma/admin { return 403; }

In conversation Friday, 26-May-2023 05:47:32 JST from gleasonator.com permalink
- Embed this notice
  nekobit (nekofag@rdrama.cc)'s status on Friday, 26-May-2023 06:01:42 JST nekobit
  in reply to
  
  @alex is this the workaround to the vulnerability?
  
  In conversation Friday, 26-May-2023 06:01:42 JST permalink
- Embed this notice
  Alex Gleason (alex@gleasonator.com)'s status on Friday, 26-May-2023 06:01:42 JST Alex Gleason
  in reply to
  - nekobit
  @nekofag The leak was dumped from Admin API. Therefore, the attacker obtained an OAuth token for an admin user. How did they do that? Regardless, shutting down admin API will minimize the attack surface. Long term the right thing to do is to whitelist certain IPs to access it.
  
  In conversation Friday, 26-May-2023 06:01:42 JST permalink
- Embed this notice
  feld (feld@bikeshed.party)'s status on Friday, 26-May-2023 06:03:46 JST feld
  in reply to
  - nekobit
  I'm gonna guess targeted attack, maybe tricked an admin into trying a new (backdoored) mastodon app and they slurped up their token that way
  
  In conversation Friday, 26-May-2023 06:03:46 JST permalink
- Embed this notice
  Alex Gleason (alex@gleasonator.com)'s status on Friday, 26-May-2023 06:05:14 JST Alex Gleason
  in reply to
  - feld
  - nekobit
  @feld @nekofag Most apps don't request admin scope. Only Soapbox and AdminFE that we know of.
  
  In conversation Friday, 26-May-2023 06:05:14 JST permalink
- Embed this notice
  Alex Gleason (alex@gleasonator.com)'s status on Friday, 26-May-2023 06:05:39 JST Alex Gleason
  in reply to
  - feld
  - nekobit
  @feld @nekofag Mastodon rejects authorizations if the scope contains "admin" in it.
  
  In conversation Friday, 26-May-2023 06:05:39 JST permalink
- Embed this notice
  feld (feld@bikeshed.party)'s status on Friday, 26-May-2023 06:06:25 JST feld
  in reply to
  - nekobit
  Pleroma/Soapbox don't request admin scope either, right? But I can still click the magic "Login with PleromaFE" button
  
  In conversation Friday, 26-May-2023 06:06:25 JST permalink
- Embed this notice
  Fediverse Contractor (bot@seal.cafe)'s status on Friday, 26-May-2023 06:41:07 JST Fediverse Contractor
  in reply to
  - kroner
  - nekobit
  cc @kroner
  
  In conversation Friday, 26-May-2023 06:41:07 JST permalink
- Embed this notice
  『g r e y』 :uv: ☦️ (grey@poa.st)'s status on Friday, 26-May-2023 06:44:19 JST 『g r e y』 :uv: ☦️
  in reply to
  
  @alex Can the admin api endpoints be configured to be on a separate port so firewall rules could be used to restrict access?
  
  In conversation Friday, 26-May-2023 06:44:19 JST permalink
  
  Alex Gleason likes this.
- Embed this notice
  Ademan (ademan@thebag.social)'s status on Saturday, 27-May-2023 00:39:26 JST Ademan
  in reply to
  
  is this mitigation still the correct move? graf mentioned writing something up but i haven’t seen it yet
  
  In conversation Saturday, 27-May-2023 00:39:26 JST permalink
  
  Fediverse Contractor likes this.

Public

Conversation

Notices

Feeds