this post was submitted on 01 Feb 2024
175 points (99.4% liked)

Fediverse

17698 readers
2 users here now

A community dedicated to fediverse news and discussion.

Fediverse is a portmanteau of "federation" and "universe".

Getting started on Fediverse;

founded 5 years ago
MODERATORS
deadsuperhero@lemmy.ml
wakest@lemmy.ml
175
Mastodon security update: every version prior to today's is vulnerable to remote user impersonation and takeover (github.com)
submitted 2 years ago by cypherpunks@lemmy.ml to c/fediverse@lemmy.ml
9 comments fedilink hide all child comments
all 10 comments
sorted by: hot top controversial new old
[–] redcalcium@lemmy.institute 29 points 2 years ago (1 children)

This advisory will be edited with more details on 2024/02/15, when admins have been given some time to update, as we think any amount of detail would make it very easy to come up with an exploit.

But the commit to fix insufficient origin validation is already visible right there in the repo?

[–] losttourist@kbin.social 31 points 2 years ago

Without a published POC there's a slightly longer window before clueless script kiddies start having a go at exploiting the vulnerability, though.

[–] AngieStone@mastodon.social 6 points 2 years ago (1 children)

@cypherpunks
German news:
https://www.heise.de/news/Mastodon-Diebstahl-beliebiger-Identitaeten-im-foederierten-Kurznachrichtendienst-9615961.html?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege

[–] androidul@lemmy.ml 1 points 2 years ago

nett hier

[–] desmosthenes@lemmy.world 5 points 2 years ago

hope for the best; plan for the worst

[–] steter@mastodon.stevesworld.co 3 points 2 years ago

@cypherpunks Upgrading went smoothly.

[–] Atelopus-zeteki@kbin.run -4 points 2 years ago (1 children)

Hmm, so if one is on iOS, the current version 2023.16, and is vulnerable. Take note apple / mac folx.

[–] cypherpunks@lemmy.ml 19 points 2 years ago (1 children)

No, this is a server-side vulnerability. Clients do not need to update, instances do.