Decentralized social network Mastodon has revealed a critical security flaw that allows malicious actors to impersonate and take control of any account.
“Due to insufficient source validation across all Mastodons, attackers can impersonate and take control of any remote account,” the maintainers said in a terse advisory.
Vulnerability, tracked as CVE-2024-23832it has a severity score of 9.4 out of a possible 10. Security researcher arconicanis was credited with discovering and reporting it.
It has been described as an “origin validation error” (CWE-346), which can typically allow an attacker to “access any functionality that is inadvertently accessible to the origin.”
Every version of Mastodon before 3.5.17 is vulnerable, as are 4.0.x versions before 4.0.13, 4.1.x versions before 4.1.13, and 4.2.x versions before 4.2.5.
Mastodon said it will withhold further technical specifications on the flaw until February 15, 2024, to give administrators ample time to update server instances and prevent the likelihood of exploitation.
“Any amount of detail would make it very easy to find an exploit,” he said.
The federated nature of the platform means that it runs on separate servers (i.e. instances), hosted and managed independently by respective administrators who create their own locally enforced rules and regulations.
This also means that not only does each instance have a unique code of conduct, terms of service, privacy policy, and content moderation guidelines, but it also requires each administrator to promptly apply security updates to protect the instances from potential risks .
The disclosure comes nearly seven months after Mastodon patched two other critical flaws (CVE-2023-36460 and 2023-36459) that could have been weaponized by adversaries to cause denial-of-service (DoS) or achieve execution of code remotely.