Since Elon Musk’s take over Twitter, many users have had second thoughts about staying on the social network. This has paved the way for many other platforms such as Meta’s new Thread and Eugen Rochko’s Mastodon. Mastodon claims to be a “federated” network which is described as a collection of thousands of social networks run across different servers that are linked to the Mastodon technology. However, this technology now faces itself with ill soon-discovered vulnerabilities. GitHub reports five security advisories with two of high severity – https://github.com/mastodon/mastodon/security/advisories
Technical Details:
CVE ID: CVE-2023-36460 (Critical Severity) This is the one of severe consequences that allow attackers to create and overwrite files Mastodon has access to, this can lead to DDOS, and arbitrary code execution.
CVE ID: CVE-2023-36459 (Critical Severity) allows cross-site scripting (XSS) payloads that can be rendered in the browser and include arbitrary malicious code through clicked links.
CVE ID: CVE-2023-36461 (High Severity) allows malicious servers to indefinitely extend the during of responses through slowloris type of attacks leading to a denial of service attack that would lead mastodon servers unresponsive.
CVE ID: CVE-2023-28853 (High Severity) allows LDAP injection attacks that can lead to leaks of attributes from the LDAP database
CVE ID: CVE-2023-36462 (Moderate Severity) can lead to misleading links through verified profile links that could easily lead to phishing attacks.
Summary
Of all five vulnerabilities, the most severe is CVE-2023-36460 which has been named TootRoot. In essence, this vulnerability can be used to plant backdoors on servers that deliver the content to end users (Beaumont, 2023). Through this, attackers can have complete control of the servers and the data which can leave sensitive data exposed. With over 8.8 million users spread across 13,000 separate servers it was critical for the team to address these vulnerabilities. These vulnerabilities were discovered by auditors at Mastadon’s request.
