### Summary
Due to insufficient origin validation in all Mastodon, attackers can impersonate and take over any remote account.
Every Mastodon version prior to 3.5.17 is vulnerable, as well as...
If your instance is not up to date (see footer), you can pass this along to your admins to check
I wonder if the companies that forked mastodon (like truth social) will bother to update. I can see someone posting stuff as a former president with this flaw.
I wonder if the companies that forked mastodon (like truth social) will bother to update. I can see someone posting stuff as a former president with this flaw.
Eh, stuff like truth social doesn’t federate with anything anyway, so unfortunately this isn’t a vulnerability for them.
Has it been confirmed this is a federation bug?
Based on this commit, which fixes the vulnerability, the bug seems to lie within the ActivityPub receive logic, specifically validation of remote resources.
Oh great, thanks.