So my current evaluation of this is:
1. There's a bug in pleroma oembed parsing that allows html injection, this is probably the one used for the attack on poast. You need to have rich media (i.e. website previews) enable for that to be dangerous.
2. There's a second exploit that I found first, having to with the CSP settings for /proxy. The nginx snippet i posted fixes that, but it doesn't fix the first issue.
The used exploit might have been a different one altogether, but at least these two can absolutely be used to steal your oauth tokens.
So what you should do in my opinion is to deactivate rich media and add the nginx snippet i posted. If you can, you should also implement alex's suggestion of moving media and proxy to subdomains (see here: https://gleasonator.com/notice/AW3PsTi4WCWEUbN0uO), as this will fix these two issues plus potential additional ones that we don't know of yet.
you should also delete ALL oauth tokens, at least if you have used rich media or media proxy. you can do this by entering `delete from oauth_tokens` in psql.
lainy /
npub1wa…9xc8t
2023-05-26 18:36:36
Author Public Key
npub1wahdrf28uf5n5tykfeyzf43sdgg65djvm8re3ulpentr3teaxujs09xc8tPublished at
2023-05-26 18:36:36Event JSON
{
"id": "029b2fc0f14af4c99aedf26f616524259a40259a8c6969ef7113b31aa3073239",
"pubkey": "776ed1a547e2693a2c964e4824d6306a11aa364cd9c798f3e1ccd638af3d3725",
"created_at": 1685126196,
"kind": 1,
"tags": [
[
"mostr",
"https://lain.com/objects/9074544e-9edf-44d4-abff-94a80b95142a"
]
],
"content": "So my current evaluation of this is:\n\n1. There's a bug in pleroma oembed parsing that allows html injection, this is probably the one used for the attack on poast. You need to have rich media (i.e. website previews) enable for that to be dangerous.\n\n2. There's a second exploit that I found first, having to with the CSP settings for /proxy. The nginx snippet i posted fixes that, but it doesn't fix the first issue.\n\nThe used exploit might have been a different one altogether, but at least these two can absolutely be used to steal your oauth tokens.\n\nSo what you should do in my opinion is to deactivate rich media and add the nginx snippet i posted. If you can, you should also implement alex's suggestion of moving media and proxy to subdomains (see here: https://gleasonator.com/notice/AW3PsTi4WCWEUbN0uO), as this will fix these two issues plus potential additional ones that we don't know of yet.\n\nyou should also delete ALL oauth tokens, at least if you have used rich media or media proxy. you can do this by entering `delete from oauth_tokens` in psql.",
"sig": "060afac29d194a47c752298bce4c2797b94632e5c3040de4aa66ab4a754a5dcf042749b999f565342d2bbf11ffd4355894944e7947ed89748a568f036a73b81e"
}