Mastodon Vulnerability Allows Hackers to Hijack Any Decentralized Account

News

Feb 03, 2024NewsroomVulnerability / Social Media

The decentralized social network Mastodon has disclosed a critical security flaw that enables malicious actors to impersonate and take over any account.

“Due to insufficient origin validation in all Mastodon, attackers can impersonate and take over any remote account,” the maintainers said in a terse advisory.

The vulnerability, tracked as CVE-2024-23832, has a severity rating of 9.4 out of a maximum of 10. Security researcher arcanicanis has been credited with discovering and reporting it.

It has been described as an “origin validation error” (CWE-346), which can typically allow an attacker to “access any functionality that is inadvertently accessible to the source.”

Every Mastodon version prior to 3.5.17 is vulnerable, as are 4.0.x versions before 4.0.13, 4.1.x versions before 4.1.13, and 4.2.x versions before 4.2.5.

Mastodon said it’s withholding additional technical specifics about the flaw until February 15, 2024, to give admins ample time to update the server instances and prevent the likelihood of exploitation.

Cybersecurity

“Any amount of detail would make it very easy to come up with an exploit,” it said.

The federated nature of the platform means that it runs on separate servers (aka instances), independently hosted and operated by respective administrators who create their own rules and regulations that are enforced locally.

This also means that not only each instance has a unique code of conduct, terms of service, privacy policy, and content moderation guidelines, but it also requires each administrator to apply security updates in a timely fashion to secure the instances against potential risks.

The disclosure arrives nearly seven months after Mastodon addressed two other critical flaws (CVE-2023-36460 and 2023-36459) that could have been weaponized by adversaries to cause denial-of-service (DoS) or achieve remote code execution.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Products You May Like

Articles You May Like

White House Urges Tech Industry to Eliminate Memory Safety Vulnerabilities
Dormant PyPI Package Compromised to Spread Nova Sentinel Malware
Everything you need to know about IP grabbers
SMBs at Risk From SendGrid-Focused Phishing Tactics
New IDAT Loader Attacks Using Steganography to Deploy Remcos RAT

Leave a Reply

Your email address will not be published. Required fields are marked *