v4.2.5 was released to fix CVE-2024-23832 (the one I reported) v4.2.6 was released to fix CVE-2024-25618 (External OpenID Connect Account Takeover by E-Mail Change, credit to npub16u3t88ncfra2h5z38p9vqm2whx6q55mscd42a8e9eua7e0lmhhaqfktnqn (npub16u3…tnqn) ) v4.2.7 was released to add a not-yet-public Github security report: https://github.com/mastodon/mastodon/security/advisories/GHSA-jhrq-qvrm-qr36
The update of v4.2.5 addressed the specific payloads I had put together, as it was confirmed fixed in my test lab. But I wouldn’t be surprised if there was more, such as if it was something to do with attributedTo or other properties that I could have overlooked.
I was already blown away by the point that I could do the first attack (of impersonated posts) so trivially, and then tumbling down the rabbit hole of noticing I could alter profiles too, and then even hijacking traffic outbound, and rejecting genuine traffic on the inbound—that there was probably even more yet to be discovered still, that someone else caught instead.
I can probably poke around with v4.2.5 more in a moment, to see if there was other trivial vulnerabilities overlooked.
arcanicanis /
npub1pm…wd4ts
2024-02-16 20:44:19
in reply to nevent1q…89c2
Author Public Key
npub1pmt6lj9sff80t4fvzn75d3j7g5kk9jjs537keafg0mfgykndymms5wd4tsPublished at
2024-02-16 20:44:19Event JSON
{
"id": "2483c364f43a79bccddd4130a20f89a060442cd43c9589958f85ccbfa55db8c0",
"pubkey": "0ed7afc8b04a4ef5d52c14fd46c65e452d62ca50a47d6cf5287ed2825a6d26f7",
"created_at": 1708116259,
"kind": 1,
"tags": [
[
"p",
"d722b39e7848faabd051384ac06d4eb9b40a5370c36aae9f25cf3becbffbbdfa",
"wss://relay.mostr.pub"
],
[
"p",
"b0780fddb6e09f0fd711f71a70f937ffdf87c82a429e4f30078791e0b6200498",
"wss://relay.mostr.pub"
],
[
"p",
"a03882329628382e1482e909d93d845977ff80bcedcb019c6cfc82bde3ec636a",
"wss://relay.mostr.pub"
],
[
"e",
"dcfcb0e10efbf07647ac9f7b283940e9ad97eecd439e0b4ffaca10c152937d6e",
"wss://relay.mostr.pub",
"reply"
],
[
"proxy",
"https://were.social/objects/875909d3-c8e5-41fe-b7a6-672e92f71ac1",
"activitypub"
]
],
"content": "v4.2.5 was released to fix CVE-2024-23832 (the one I reported) v4.2.6 was released to fix CVE-2024-25618 (External OpenID Connect Account Takeover by E-Mail Change, credit to nostr:npub16u3t88ncfra2h5z38p9vqm2whx6q55mscd42a8e9eua7e0lmhhaqfktnqn ) v4.2.7 was released to add a not-yet-public Github security report: https://github.com/mastodon/mastodon/security/advisories/GHSA-jhrq-qvrm-qr36\n\nThe update of v4.2.5 addressed the specific payloads I had put together, as it was confirmed fixed in my test lab. But I wouldn’t be surprised if there was more, such as if it was something to do with attributedTo or other properties that I could have overlooked.\n\nI was already blown away by the point that I could do the first attack (of impersonated posts) so trivially, and then tumbling down the rabbit hole of noticing I could alter profiles too, and then even hijacking traffic outbound, and rejecting genuine traffic on the inbound—that there was probably even more yet to be discovered still, that someone else caught instead.\n\nI can probably poke around with v4.2.5 more in a moment, to see if there was other trivial vulnerabilities overlooked.",
"sig": "84c674605e14d8eedbbfcee9e6f57598620133043c1591c848384831dd20e8831bbe6690df76d8fa9b59e00e232da04945fda18513d2bf3ad6a19f0c0404bfdf"
}