### Summary
Due to insufficient origin validation in all Mastodon, attackers can impersonate and take over any remote account.
Every Mastodon version prior to 3.5.17 is vulnerable, as well as...
If your instance is not up to date (see footer), you can pass this along to your admins to check
Every barrier that slows down attacks a little is worth it when you are trying to buy time so people can apply emergency updates. It’s not about stopping them from ever figuring it out.
Depends on skill level and the exact nature of the flaw. There’s definitely going to be a nonzero number of malicious people who lie in the middle distance “I can come up with a way to exploit flaws if I have a detailed trail of breadcrumbs” and “I can’t be bothered to do an unlimited amount of work to track down how to do this, I have other malicious things on my schedule for today.”
People who would create exploits for this definitely can’t read the diffs and see what changed.
they’re just delaying it by two weeks…
Every barrier that slows down attacks a little is worth it when you are trying to buy time so people can apply emergency updates. It’s not about stopping them from ever figuring it out.
Depends on skill level and the exact nature of the flaw. There’s definitely going to be a nonzero number of malicious people who lie in the middle distance “I can come up with a way to exploit flaws if I have a detailed trail of breadcrumbs” and “I can’t be bothered to do an unlimited amount of work to track down how to do this, I have other malicious things on my schedule for today.”