The maintainers of the open source software that powers the Mastodon social network published a security update on Thursday that patches a critical vulnerability making it possible for hackers to backdoor the servers that push content to individual users.
Mastodon is based on a federated model. The federation comprises thousands of separate servers known as “instances.” Individual users create an account with one of the instances, which in turn exchange content to and from users of other instances. To date, Mastodon has more than 12,000 instances and 14.5 million users, according to fedidb.org/, a site that tracks statistics related to Mastodon.
A critical bug tracked as CVE-2023-36460 was one of two vulnerabilities rated as critical that were fixed on Thursday. In all, Mastodon on Thursday patched five vulnerabilities.
So far, Mastodon gGmbH, the nonprofit that maintains the software instances uses to operate the social network, has released few details about CVE-2023-36460 other than to describe it as an “arbitrary file creation through media attachments” flaw.
“Using carefully crafted media files, attackers can cause Mastodon’s media processing code to create arbitrary files at any location,” Mastodon said. “This allows attackers to create and overwrite any file Mastodon has access to, allowing Denial of Service and arbitrary Remote Code Execution.”
In a Mastodon post, independent security researcher Kevin Beaumont went a step further, writing that exploiting the vulnerability allowed someone “to send a toot which makes a webshell on instances that process said toot.” He coined the name #TootRoot because user posts, known as toots, allowed hackers to potentially gain root access to instances.
An attacker with control over thousands of instances could inflict all kinds of harm on individual users and possibly the larger Internet. For example, hijacked instances could send alerts to users instructing them to download and install malicious apps or bring the entire infrastructure to a halt. There are no indications that the bug has ever been exploited.
Thursday’s patch is the product of recent penetration testing work that the Mozilla Foundation funded, Renaud Chaput, cofounder and CTO of Notos, told Ars. He said a firm called Cure53 performed the pentesting and that the code fixes were developed by the several-person team inside the Mastodon nonprofit. Mozilla has announced plans to create its own Mastodon instance. Chaput said that Mastodon sent pre-announcements to large servers in recent weeks, informing them of the fix so they would be ready to patch quickly.
In all, Mastodon’s Thursday patch batch fixed five vulnerabilities. One of the bugs, tracked as CVE-2023-36459, also carried a critical severity rating. Mastodon’s bare-bones writeup described the flaw as an “XSS through oEmbed preview cards.”
It continued: “Using carefully crafted oEmbed data, an attacker can bypass the HTML sanitization performed by Mastodon and include arbitrary HTML in oEmbed preview cards. This introduces a vector for Cross-site-scripting (XSS) payloads that can be rendered in the user’s browser when a preview card for a malicious link is clicked through.”
XSS exploits allow hackers to inject malicious code into websites, which in turn cause it to run in the browsers of people visiting the site. oEmbed is an open format for allowing an embedded representation of a URL on third-party sites. No other details about the vulnerability were immediately available.
The three other vulnerabilities carried high and medium severity ratings. They included a “Blind LDAP injection in login [that[ allows the attacker to leak arbitrary attributes from LDAP database,” “Denial of Service through slow HTTP responses,” and “Verified profile links [that] can be formatted in a misleading way.”
The patches come as social media behemoth Meta rolled out a new service intended to pick up Twitter users who are leaving the platform. There’s no action individual Mastodon users need to take other than to ensure that the instance they’re subscribed to has installed the updates.
Updated to fix description of Cure53.