I guess it’s even worse that I thought, because from what’s been deduced by others that reached out to me, it allows any user to make impersonated posts (and probably more) of users on the same instance.
From the info I have, I tested if other projects were affected, and found other projects it applies to as well.
For the projects that I found affected (by what’s assumed to be the details of GHSA-jhrq-qvrm-qr36), I haven’t found anyone yet that got any heads-up or private message from the Mastodon team before (or even after) this abrupt security release; they just shoved it out without notice, or only told a few closely-knit projects.
This specific vulnerability was even warned about by one project, years ago, that has even had mitigations since 3-4 years ago. But evidently those warnings were buried to history.
I’ll keep quiet for a days at least on the details.
arcanicanis /
npub1pm…wd4ts
2024-02-17 01:47:07
in reply to nevent1q…gnwl
Author Public Key
npub1pmt6lj9sff80t4fvzn75d3j7g5kk9jjs537keafg0mfgykndymms5wd4tsPublished at
2024-02-17 01:47:07Event JSON
{
"id": "3540cfa0035bc978ba9641b12212f9ffadfe946112984ae117bfd3488b84528d",
"pubkey": "0ed7afc8b04a4ef5d52c14fd46c65e452d62ca50a47d6cf5287ed2825a6d26f7",
"created_at": 1708134427,
"kind": 1,
"tags": [
[
"p",
"0ed7afc8b04a4ef5d52c14fd46c65e452d62ca50a47d6cf5287ed2825a6d26f7",
"wss://relay.mostr.pub"
],
[
"p",
"b0780fddb6e09f0fd711f71a70f937ffdf87c82a429e4f30078791e0b6200498",
"wss://relay.mostr.pub"
],
[
"e",
"2483c364f43a79bccddd4130a20f89a060442cd43c9589958f85ccbfa55db8c0",
"wss://relay.mostr.pub",
"reply"
],
[
"proxy",
"https://were.social/objects/1ad60597-36b2-4fa5-bc60-3a7c25d58854",
"activitypub"
]
],
"content": "I guess it’s even worse that I thought, because from what’s been deduced by others that reached out to me, it allows any user to make impersonated posts (and probably more) of users on the same instance.\n\nFrom the info I have, I tested if other projects were affected, and found other projects it applies to as well.\n\nFor the projects that I found affected (by what’s assumed to be the details of GHSA-jhrq-qvrm-qr36), I haven’t found anyone yet that got any heads-up or private message from the Mastodon team before (or even after) this abrupt security release; they just shoved it out without notice, or only told a few closely-knit projects.\n\nThis specific vulnerability was even warned about by one project, years ago, that has even had mitigations since 3-4 years ago. But evidently those warnings were buried to history.\n\nI’ll keep quiet for a days at least on the details.",
"sig": "c8f1ea098c848a69c5fec80536c4bcf6077496333de7228ff31a8809908e84db361cab89d6efa6a05e47d03b43ce2c21e01254e8bbae8bba9b8895d91280ff9c"
}