Email or username:

Password:

Forgot your password?
All posts Emelia's posts Post Back to profile
Emelia 👸🏻

Wowzers, that Mastodon CVE recently was quite something:

• You can inject a post that is attributed to any remote user
• You can overwrite the server's copy of any remote user
• You can rekey the server's copy of any remote user, by just listing another key

The full technical write up is worth a read: arcanican.is/excerpts/cve-2024

15 February at 21:44 | Open on hachyderm.io
14 comments
luwa :00boykisser: :cutemenacing:
Haelwenn /элвэн/ :triskell:
@thisismissem Wow, and there I thought (even with looking in the diff, granted I'm not familiar with Mastodon's codebase) it was just injecting weird posts that weren't actually made by the user.

At least I asserted correctly that Pleroma isn't vulnerable (I'd say it fundamentally can't, it all goes through the same validation process).
15 February at 22:20 | Open on queer.hacktivis.me
💉💉💉🦠JF :debian: :verbike:
charlag

@thisismissem I was reading up to the point where it starts going on an unfounded rant against blockslists. nooooo thank you

15 February at 23:01 | Open on birb.site
Emelia 👸🏻

@charlag worth just ignoring that part. Everyone and their cousin whas opinions on blocklists and other things. (i.e., I'd suggest not throwing the baby out with the bath water)

15 February at 23:18 | Open on hachyderm.io
charlag

@thisismissem I mean, sure, opinions are a thing but when they align with people who enact racism and you cry cancel culture and actively inject it in a post this is a bit more than just an opinion innit.

I'll probably still read it for technical details but dismissing these things too easily… I don't feel so good about it.

16 February at 0:07 | Open on birb.site
Emelia 👸🏻

@charlag aye, but also, they could've easily verified if they were blocked: mastodon publishes its domain blocks publicly.

It's probably just someone being angry about a feature that they don't understand.

16 February at 0:09 | Open on hachyderm.io
mirabilos

@thisismissem @arcanicanis money quote:

>

But yet, Mozilla paid for a formal security audit of the Mastodon codebase, missed this, and yet this just tumbles into my lap. Great, I just resent the typical nature of the 'security consultancy' industry even more,

15 February at 23:19 | Open on toot.mirbsd.org
SpaceLifeForm

@thisismissem

I've had suspicions based upon observation.

This fits.

cc: @jerry @paco

#MastoAdmin

15 February at 23:46 | Open on infosec.exchange
Paul Chambers

@SpaceLifeForm @thisismissem @jerry @paco

arcanicanis posts an example of one of the maliciously-crafted payloads that resulted in a 9.8 severity CVE (CVE-2024-23832) against Mastodon at this post.

were.social/objects/cfe6a3fd-1

16 February at 1:07 | Open on oldfriends.live
Jerry Bell :verified_paw: :donor: :verified_dragon: :rebelverified:​

@thisismissem I enjoyed the dig at Infosec.exchange in the post.

16 February at 1:06 | Open on infosec.exchange
Emelia 👸🏻

@jerry aye, there's some very childish/silly remarks in the post imo, but hey, whatever. The meat of the post with regards to what the vulnerability was was the interesting part.

16 February at 1:07 | Open on hachyderm.io
Go Up