Researchers have discovered a serious security issue in the social networking platform Mastodon. Specifically, the vulnerability appeared due to a system misconfiguration, allowing an adversary to replace Mastodon users’ profile content with random stuff.
System Configuration Vulnerability In Mastodon
Security researcher Lenin Alevski has elaborated on his findings about a severe Mastodon vulnerability that risked the integrity of users’ accounts. Specifically, he noticed a system misconfiguration that allowed him to access other users’ profiles and replace the content (profile pictures and posts) with random stuff.
Mastodon is an open-source social media platform rivaling Twitter. Its free availability, open-source distribution, and catchy features made this site popular among users, especially in the cybersecurity community, allowing them to “toot” their opinions and information without hassle.
As explained in his post, Alevski, after hearing about Mastodon on Twitter, created an account on the site. He then noticed a misconfiguration on the infosec.exchange instance on Mastodon, where most cybersecurity users used to gather information.
Specifically, following his registration, he wondered where the user-uploaded content gets stored on the platform. Hence, digging up its code made him reach “https://media.infosec.exchange/infosecmedia,” which showed the use of MinIO buckets. Moving on further made him access many other folders, even with anonymous credentials. (Alevski dubbed this issue similar to directory traversal vulnerability).
Then, he could even download the site’s logo and upload a modified version, making him realize the explicit access. As mentioned in his post, Alevski could download all files from the server, delete them, or even replace them with arbitrary files.
Commenting further, he stated,
This system misconfiguration at the object storage level defeats whatever security mechanism Mastodon has on top.
Mastodon Patched The Flaw
Following this discovery, Alevski reported the matter to jerry@infosec.exchange, who acknowledged the flaw. Eventually, the researcher confirmed that the vulnerability received a patch, securing the stored files promptly.
Nonetheless, the matter didn’t end up with the infosec.exchange instance only. Alevski scrutinized other instances and found similar issues that he had reported already.
Let us know your thoughts in the comments.