Conversation

Notices

Embed this notice
Alex Gleason (alex@gleasonator.com)'s status on Sunday, 04-Feb-2024 12:57:03 JST Alex Gleason
- Dan Ramos 🇵🇹🇺🇸 :verified:
"Mastodon vulnerability allows attackers to take over accounts"

Snopes: Mixed

It's a serious vulnerability for sure: "allowing attackers to impersonate users and take over their accounts"

But while this part is true: "allowing attackers to impersonate users"

This part is exaggerated: "and take over their accounts"

Impersonating remote users doesn't allow you to log in as them, change their email or password, etc. It allows people to submit forged posts by them, and "trick" Mastodon servers into accepting it. Either way, interesting that this leaks into the wider web.

RT: https://noauthority.social/users/Dan_Ramos/statuses/111871157549735051
In conversation about 10 months ago from gleasonator.com permalink
Attachments
1. No result found on File_thumbnail lookup.
  
  Dan Ramos :verified: (@Dan_Ramos@noauthority.social)
  
  from Dan Ramos :verified:
  
  @eriner This seems familiar, eh? 😎 Once again, thank you! Mastodon vulnerability allows attackers to take over accounts https://www.bleepingcomputer.com/news/security/mastodon-vulnerability-allows-attackers-to-take-over-accounts/
- Embed this notice
  arcanicanis (arcanicanis@were.social)'s status on Friday, 16-Feb-2024 07:15:54 JST arcanicanis
  in reply to
  - arcanicanis
  - Dan Ramos 🇵🇹🇺🇸 :verified:
  Here's the 'more info':
  
  https://were.social/notice/AeuTOL78x560sfdeFc
  
  https://arcanican.is/excerpts/cve-2024-23832/
  
  https://arcanican.is/excerpts/cve-2024-23832/discovery.htm
  In conversation about 9 months ago permalink
  Attachments
  1. No result found on File_thumbnail lookup.
    
    Remote User Impersonation and Takeover via Cache Poisoning
  2. Domain not in remote thumbnail source whitelist: were.social
    
    arcanicanis (@arcanicanis@were.social)
    
    So here’s an example of one of the maliciously-crafted payloads that resulted in a 9.8 severity CVE (CVE-2024-23832) against Mastodon:{ "@context": ["https://www.w3.org/ns/activitystreams"], "i...
  3. Domain not in remote thumbnail source whitelist: arcanican.is
    
    Remote User Impersonation and Takeover via Cache Poisoning
- Embed this notice
  arcanicanis (arcanicanis@were.social)'s status on Friday, 16-Feb-2024 07:15:58 JST arcanicanis
  in reply to
  - Dan Ramos 🇵🇹🇺🇸 :verified:
  This part is exaggerated: “and take over their accounts”
  More info will come later regarding this.
  
  In conversation about 9 months ago permalink
  
  Alex Gleason repeated this.
- Embed this notice
  Alex Gleason (alex@gleasonator.com)'s status on Friday, 16-Feb-2024 07:17:20 JST Alex Gleason
  in reply to
  - arcanicanis
  - Dan Ramos 🇵🇹🇺🇸 :verified:
  @arcanicanis @Dan_Ramos It's pretty awesome. But I stand by my statement that "taking over accounts" is an exaggeration, because you cannot actually log in as them or change their password. Impersonation is a critical security issue. But people should not believe this can let people lock them out of their account.
  
  In conversation about 9 months ago permalink
- Embed this notice
  arcanicanis (arcanicanis@were.social)'s status on Friday, 16-Feb-2024 07:33:09 JST arcanicanis
  in reply to
  - Dan Ramos 🇵🇹🇺🇸 :verified:
  Well, it’s really close in severity: when you can take over the deliverability of their posts to any followers (on any software) that aren’t on the same server, when you can take over where Direct Messages across servers end up, when you can change the public key cached for any remote user and start impersonating S2S traffic, and much more.
  
  In conversation about 9 months ago permalink
  
  Alex Gleason likes this.

Public

Conversation

Notices

Feeds