Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://bikeshed.party/objects/fab9186c-9d68-4405-95ab-bbbdbea3e0c3">feld (feld@bikeshed.party)'s status on Friday, 02-Feb-2024 22:40:58 JST</a><a href="https://bikeshed.party/users/feld" title="feld@bikeshed.party"><img src="https://gnusocial.jp/avatar/4193-48-20240209135539.webp" width="48" height="48" alt="feld" style="position: absolute; left: 0; top: 0;">feld</a><div><ul><li></ul></div></section><article><a href="https://cyberplace.social/@GossiTheDog">@GossiTheDog</a> <br><br>&gt; TBA. This advisory will be edited with more details on 2024/02/15, when admins have been given some time to update, as we think any amount of detail would make it very easy to come up with an exploit.<br><br>what is this bullshit? We can just dig through the commits.<br><br>I'm guessing this change is related because it seems like "redirect confirmation" not being done correctly would allow you to takeover an account and the "I'll add tests later" seems like they're hiding something.<br><br><a href="https://github.com/mastodon/mastodon/pull/28902" rel="noreferrer nofollow">https://github.com/mastodon/mastodon/pull/28902</a></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/2664482#notice-5287499">In conversation</a><time datetime="2024-02-02T22:40:58+09:00" title="Friday, 02-Feb-2024 22:40:58 JST">Friday, 02-Feb-2024 22:40:58 JST</time> <span>from <span><a href="https://bikeshed.party/objects/fab9186c-9d68-4405-95ab-bbbdbea3e0c3" rel="external" title="Sent from bikeshed.party via ActivityPub">bikeshed.party</a></span></span><a href="https://bikeshed.party/objects/fab9186c-9d68-4405-95ab-bbbdbea3e0c3">permalink</a><h4>Attachments</h4><ol><li><article><header><div>Domain not in remote thumbnail source whitelist: opengraph.githubassets.com</div><h5><a href="https://github.com/mastodon/mastodon/pull/28902">Fix redirect confirmation for accounts by ClearlyClaire · Pull Request #28902 · mastodon/mastodon</a></h5><div></div></header><div>I will add tests in a follow-up PR.</div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
feld (feld@bikeshed.party)'s status on Friday, 02-Feb-2024 22:40:58 JSTfeld
- Kevin Beaumont
@GossiTheDog

> TBA. This advisory will be edited with more details on 2024/02/15, when admins have been given some time to update, as we think any amount of detail would make it very easy to come up with an exploit.

what is this bullshit? We can just dig through the commits.

I'm guessing this change is related because it seems like "redirect confirmation" not being done correctly would allow you to takeover an account and the "I'll add tests later" seems like they're hiding something.

https://github.com/mastodon/mastodon/pull/28902
In conversationFriday, 02-Feb-2024 22:40:58 JST from bikeshed.partypermalink
Attachments
1. Domain not in remote thumbnail source whitelist: opengraph.githubassets.com
  Fix redirect confirmation for accounts by ClearlyClaire · Pull Request #28902 · mastodon/mastodon
  I will add tests in a follow-up PR.

Public

Embed Notice

HTML Code

Corresponding Notice