Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Craig Hale

Mastodon fixes major security flaw that could have allowed system hijacking

Mastodon

Social media challenger Mastodon has issued a fix for new fewer than five security vulnerabilities, the majority of which categorized as high or critical severity.

The flaws include CVE-2023-36460, which could have allowed an attacker to create and overwrite any file Mastodon has access to, allowing Denial of Service and arbitrary Remote Code Execution. The update confirms that versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this vulnerability.

Despite a brief overview, few details have been confirmed about the vulnerability. It is believed that an attacker might have been able to spread malware using the vulnerability, but it’s so far unclear whether there has been an active exploit.

Mastodon security patches

The description for another vulnerability, known as CVE-2023-36462, reads: “An attacker can craft a verified profile link using specific formatting to conceal arbitrary parts of the link, enabling it to appear to link to a different URL altogether.” This was considered to have the least severe consequences, marked as moderate.

Through this, an attacker might have been able to reformat URLs to mask the fact that they were instead redirecting to phishing campaigns or malware sites.

Further high and critical issues fixed include a slowloris-type Denial of Service attack vulnerability, cross-site scripting (XSS) attacks, and the potential for an attacker to leak arbitrary attributes from the LDAP database.

While Mastodon is responsible for issuing the fixes, Cure53 has been credited with the penetration testing, with thanks to funding from the Mozilla Foundation.

This comes at a time when Mastodon continues to attract new social media users as Twitter users look to abandon the once Musk-led platform. With new CEO Linda Yaccarino at the helm, positive changes are yet to materialize. At the same time, Meta’s new Threads platform is trying to sweep up ex-Twitter users.

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.