Summary
Due to a gap in validation of federated content in the affected Mastodon versions, attackers can craft payloads that impersonate remote ActivityPub actors (federated accounts) as-seen-from the affected server.
Every Mastodon version prior to 3.5.17 is vulnerable, as well as 4.0.x versions prior to 4.0.13, 4.1.x version prior to 4.1.13, and 4.2.x versions prior to 4.2.5.
Details
In some code paths, vulnerable versions of Mastodon would not correctly check the id property of remote ActivityPub objects such as posts and accounts.
Indeed, while Mastodon normally ensures that the id property of every fetched object correctly reflects the URL of the object, code paths involving FetchRemoteResource passed down the id property of the fetched object instead of the queried URL:
|
body = response.body_with_limit |
|
json = body_to_json(body) |
|
|
|
[json['id'], { prefetched_body: body, id: true }] if supported_context?(json) && (equals_or_includes_any?(json['type'], ActivityPub::FetchRemoteActorService::SUPPORTED_TYPES) || expected_type?(json)) |
This resulted in an incorrect comparison when ingesting the remote object, always trusting the fetched object's self-reported id property regardless of where the object was actually located.
Impact
This vulnerability allowed attackers to impersonate any remote ActivityPub actor as observed from a vulnerable Mastodon server, even if the remote server did not use Mastodon. This vulnerability could also be used to overwrite existing objects, including protocol details, allowing attackers to intercept further trafic between a vulnerable Mastodon server and an impersonated remote ActivityPub actor.
arcanicanis Reporter
Summary
Due to a gap in validation of federated content in the affected Mastodon versions, attackers can craft payloads that impersonate remote ActivityPub actors (federated accounts) as-seen-from the affected server.
Every Mastodon version prior to 3.5.17 is vulnerable, as well as 4.0.x versions prior to 4.0.13, 4.1.x version prior to 4.1.13, and 4.2.x versions prior to 4.2.5.
Details
In some code paths, vulnerable versions of Mastodon would not correctly check the
idproperty of remote ActivityPub objects such as posts and accounts.Indeed, while Mastodon normally ensures that the
idproperty of every fetched object correctly reflects the URL of the object, code paths involvingFetchRemoteResourcepassed down theidproperty of the fetched object instead of the queried URL:mastodon/app/services/fetch_resource_service.rb
Lines 48 to 51 in 8c183a9
This resulted in an incorrect comparison when ingesting the remote object, always trusting the fetched object's self-reported
idproperty regardless of where the object was actually located.Impact
This vulnerability allowed attackers to impersonate any remote ActivityPub actor as observed from a vulnerable Mastodon server, even if the remote server did not use Mastodon. This vulnerability could also be used to overwrite existing objects, including protocol details, allowing attackers to intercept further trafic between a vulnerable Mastodon server and an impersonated remote ActivityPub actor.