Summary
Due to a gap in validation of federated content in the affected Mastodon versions, attackers can craft payloads that impersonate remote ActivityPub actors (federated accounts) as-seen-from the affected server.
Every Mastodon version prior to 3.5.17 is vulnerable, as well as 4.0.x versions prior to 4.0.13, 4.1.x version prior to 4.1.13, and 4.2.x versions prior to 4.2.5.
Details
In some code paths, vulnerable versions of Mastodon would not correctly check the id
property of remote ActivityPub objects such as posts and accounts.
Indeed, while Mastodon normally ensures that the id
property of every fetched object correctly reflects the URL of the object, code paths involving FetchRemoteResource
passed down the id
property of the fetched object instead of the queried URL:
|
body = response.body_with_limit |
|
json = body_to_json(body) |
|
|
|
[json['id'], { prefetched_body: body, id: true }] if supported_context?(json) && (equals_or_includes_any?(json['type'], ActivityPub::FetchRemoteActorService::SUPPORTED_TYPES) || expected_type?(json)) |
This resulted in an incorrect comparison when ingesting the remote object, always trusting the fetched object's self-reported id
property regardless of where the object was actually located.
Impact
This vulnerability allowed attackers to impersonate any remote ActivityPub actor as observed from a vulnerable Mastodon server, even if the remote server did not use Mastodon. This vulnerability could also be used to overwrite existing objects, including protocol details, allowing attackers to intercept further trafic between a vulnerable Mastodon server and an impersonated remote ActivityPub actor.
Summary
Due to a gap in validation of federated content in the affected Mastodon versions, attackers can craft payloads that impersonate remote ActivityPub actors (federated accounts) as-seen-from the affected server.
Every Mastodon version prior to 3.5.17 is vulnerable, as well as 4.0.x versions prior to 4.0.13, 4.1.x version prior to 4.1.13, and 4.2.x versions prior to 4.2.5.
Details
In some code paths, vulnerable versions of Mastodon would not correctly check the
id
property of remote ActivityPub objects such as posts and accounts.Indeed, while Mastodon normally ensures that the
id
property of every fetched object correctly reflects the URL of the object, code paths involvingFetchRemoteResource
passed down theid
property of the fetched object instead of the queried URL:mastodon/app/services/fetch_resource_service.rb
Lines 48 to 51 in 8c183a9
This resulted in an incorrect comparison when ingesting the remote object, always trusting the fetched object's self-reported
id
property regardless of where the object was actually located.Impact
This vulnerability allowed attackers to impersonate any remote ActivityPub actor as observed from a vulnerable Mastodon server, even if the remote server did not use Mastodon. This vulnerability could also be used to overwrite existing objects, including protocol details, allowing attackers to intercept further trafic between a vulnerable Mastodon server and an impersonated remote ActivityPub actor.