Critical TootRoot bug lets attackers hijack Mastodon servers

Share:

Mastodon, the free and open-source decentralized social networking platform, has patched four vulnerabilities, one of them critical that allows hackers to create arbitrary files on the server using specially crafted media files.

Mastodon has about 8.8 million users spread across 13,000 separate servers (instances) hosted by volunteers to support distinct yet inter-connected (federated) communities.

All the four issues fixed were discovered by independent auditors at Cure53, a company that provides penetration testing for online services. The auditors inspected Mastodon’s code at Mozilla’s request.

The most severe of the vulnerabilities is tracked as CVE-2023-36460 and has been named TootRoot. It gives attackers a particularly easy way to compromise target servers.

CVE-2023-36460 is a problem in Mastodon’s media processing code that allows using media files on toots (the equivalent of tweets) to cause a range of problems, from denial of service (DoS) to arbitrary remote code execution.

Although Mastodon’s security bulletin is laconic, security researcher Kevin Beaumont highlighted the risks associated with TootRoot, saying that a toot can be used to plant backdoors on the servers that deliver content to Mastodon users.

Toot

Such a compromise would give attackers unlimited control over the server and the data it hosts and manages, and extends to users’ sensitive information.

The second critical-severity flaw is CVE-2023-36459, a cross-site scripting (XSS) on oEmbed preview cards used in Mastodon that allows bypassing HTML sanitization on the target browser.

Attacks leveraging this flaw could be used for account hijacking, user impersonation or accessing sensitive data.

The other two vulnerabilities that Mastodon addressed are CVE-2023-36461, a high-severity DoS flaw through slow HTTP responses, and CVE-2023-36462, also rated with high-severity that lets an attacker format a verified profile link in a deceptive manner that can be used for phishing.

The four vulnerabilities impact all versions of Mastodon from 3.5.0 onward, and were patched in versions 3.5.9, 4.0.5, and 4.1.3.

The patches are server security updates and need to be applied by administrators to remove the risk for their communities.

 

(c) Bill Toulas

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top