Mastodon actively fights critical vulnerabilities

Users Mastodon, a popular decentralized social network, can sleep easy knowing that the developers have released a security update that fixes a number of critical vulnerabilities. These vulnerabilities could endanger millions of users and disrupt the entire network. Mastodon differs from other social networks in its decentralized model, in which each user can choose from thousands of individual servers called “instances”. Mastodon currently has over 14 million registered users across over 20,000 instances.

One of the most dangerous vulnerabilities CVE-2023-36460 , allowed hackers to exploit a bug in the media attachments feature, which could lead to the creation and overwriting of files on the user’s device. As a result of successful exploitation, a remote hacker could execute arbitrary code on the user’s device. which posed a serious threat not only to Mastodon users, but to the entire Internet community. If an attacker were to gain control over multiple instances, they could do even more harm by forcing users to download malicious applications or even bring down the entire Mastodon infrastructure. Fortunately, no such cases have been recorded.

The critical vulnerability was discovered during comprehensive penetration testing conducted by Cure53 with support from the Mozilla Foundation. Four more vulnerabilities have been fixed as part of the security update, including another critical code issue CVE-2023-36459 . The issue was that attackers could inject arbitrary HTML into oEmbed preview cards, bypassing Mastodon’s HTML cleanup process. As a result, a remote attacker could execute malicious code when a user clicks on the preview cards.

The remaining three vulnerabilities had a high and medium severity level. The first of these, Blind LDAP Login Injection, allowed attackers to extract arbitrary data from an LDAP database. Two more “Denial of Service over Slow HTTP Responses” and formatting issues with “Verified Profile Links”. Each of these issues presented a different level of risk to Mastodon users.

In order to protect themselves from these vulnerabilities, Mastodon users only need to ensure that their chosen instance has installed the necessary updates on time.