Article Details
Scrape Timestamp (UTC): 2024-02-03 06:54:44.984
Source: https://thehackernews.com/2024/02/mastodon-vulnerability-allows-hackers.html
Original Article Text
Click to Toggle View
Mastodon Vulnerability Allows Hackers to Hijack Any Decentralized Account. The decentralized social network Mastodon has disclosed a critical security flaw that enables malicious actors to impersonate and take over any account. "Due to insufficient origin validation in all Mastodon, attackers can impersonate and take over any remote account," the maintainers said in a terse advisory. The vulnerability, tracked as CVE-2024-23832, has a severity rating of 9.4 out of a maximum of 10. Security researcher arcanicanis has been credited with discovering and reporting it. It has been described as an "origin validation error" (CWE-346), which can typically allow an attacker to "access any functionality that is inadvertently accessible to the source." Every Mastodon version prior to 3.5.17 is vulnerable, as are 4.0.x versions before 4.0.13, 4.1.x versions before 4.1.13, and 4.2.x versions before 4.2.5. Mastodon said it's withholding additional technical specifics about the flaw until February 15, 2024, to give admins ample time to update the server instances and prevent the likelihood of exploitation. "Any amount of detail would make it very easy to come up with an exploit," it said. The federated nature of the platform means that it runs on separate servers (aka instances), independently hosted and operated by respective administrators who create their own rules and regulations that are enforced locally. This also means that not only each instance has a unique code of conduct, terms of service, privacy policy, and content moderation guidelines, but it also requires each administrator to apply security updates in a timely fashion to secure the instances against potential risks. The disclosure arrives nearly seven months after Mastodon addressed two other critical flaws (CVE-2023-36460 and 2023-36459) that could have been weaponized by adversaries to cause denial-of-service (DoS) or achieve remote code execution. ⚡ Free Risk Assessment from Vanta Generate a gap assessment of your security and compliance posture, discover shadow IT, and more.
Daily Brief Summary
A critical security vulnerability in Mastodon allows attackers to impersonate and take over any account on the decentralized social network.
The issue, identified as CVE-2024-23832 with a severity rating of 9.4, was reported by a security researcher known as arcanicanis.
This flaw is described as an "origin validation error," which presents a significant risk as it may grant attackers access to functionalities not intended for external sources.
Versions of Mastodon at risk include all before 3.5.17, as well as versions prior to 4.0.13, 4.1.13, and 4.2.5 depending on the release series.
Mastodon has deferred releasing further technical details about the flaw until February 15, 2024, to allow server instance administrators time to apply necessary updates.
Due to Mastodon's federated structure, each independently hosted server instance requires its administrator to update promptly to mitigate any security risks.
This disclosure follows up on Mastodon addressing two other critical vulnerabilities roughly seven months prior, which could lead to DoS attacks or enable remote code execution.