Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Mastodon vulnerable to multiple system configuration problems

Multiple instances of social media platform Mastodon are vulnerable to system configuration issues, security researcher Lenin Alevski warns.

The exodus of former Twitter users in response to the upheavals that have accompanied Elon Musk’s takeover of Twitter have shone the spotlight on Mastodon.

It has become the go-to hangout for many of infosec’s community who have swapped tweeting for ‘tooting’ on the platform.

Security researchers such as Alevski, and PortSwigger’s Gareth Heyes before him, however have found the security maturity of Mastodon wanting.

More specifically, Alevski recently found that the infosec.exchange instance of Mastodon was uploaded to storage buckets that failed to apply access controls.

This shortcoming, explained in a technical blog post, made it possible for an attacker to access a user’s profile picture or any other uploaded data and replace it with arbitrary content.

The vulnerability also meant it was possible to download files from the server – including those shared by direct message (DMs on Mastodon, unlike Twitter, omit encryption). Destructive attacks, including the deletion of files on the server, were also possible.

The security shortcoming – which opened the door to all manner of mischief making and trolling – was quickly addressed after Alevski reported the issue to Jerry Bell, the sys admin who administers the infosec.exchange instance of Mastodon.

Bell told The Daily Swig: “It was a misconfigured access policy on the bucket. I hadn’t removed write access from the default access path.”

In a blog post published after the issue was resolved, Alevski added that “system misconfiguration at the object storage level defeats whatever security mechanism Mastodon has on top”.

Alevski concluded by warning that infosec.exchange is far from an isolated case of system configuration problems in the Mastodon ecosystem. The security researcher has gone on to discover misconfigurations on other Mastodon instances.

“I found similar problems with a couple of them [other instances] and I [have] already reported the vulnerabilities,” according to Alevski.

Copyright 2021 Associated Press. All rights reserved.

Source: https://portswigger.net/daily-swig/mastodon-vulnerable-to-multiple-system-configuration-problems

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

Actors linked to adversarial nations — namely China and Russia — worked across platforms to push inaccurate content, according to a report released Tuesday....

Business News

LONDON (AP) — Starting Friday, Europeans will see their online life change. People in the 27-nation European Union can alter some of what shows up when...

Business News

SAN FRANCISCO (AP) — Elon Musk may want to send “tweet” back to the birds, but the ubiquitous term for posting on the site he...

Business News

LONDON (AP) — Elon Musk has unveiled a new black and white “X” logo to replace Twitter’s famous blue bird as he follows through...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO