Mastodon Alert: CVE-2024-23832 Unlocks Account Takeover Threat
A critical vulnerability in the decentralized social networking platform Mastodon could be exploited to impersonate and take over any remote account.
Mastodon is a free, open-source social network server based on ActivityPub where users can follow friends and discover new ones. On Mastodon, users can publish anything they want: links, pictures, text, and video. Mastodon has grown into a bustling digital agora where over 45.2k GitHub stars signify its popularity among those seeking an alternative to the centralized social media behemoths
CVE-2024-23832 has been identified as a severe security flaw with a CVSS score of 9.4. This score underlines the gravity of the situation—a vulnerability that could potentially allow attackers to impersonate and take control of any Mastodon account remotely. The root of this peril lies in what is termed as “insufficient origin validation,” a seemingly benign oversight with devastating implications.
“Due to insufficient origin validation in all Mastodon, attackers can impersonate and take over any remote account,” Mastodon notes in an advisory.
The discovery of this flaw throws a stark light on the vulnerabilities that can plague even the most decentralized of platforms. Mastodon’s federated structure, designed to empower users by enabling them to connect across a tapestry of servers, now faces a critical test. The flaw spans across various versions of the platform, affecting every Mastodon version prior to 3.5.17, as well as 4.0.x versions prior to 4.0.13, 4.1.x versions prior to 4.1.13, and 4.2.x versions prior to 4.2.5.
The discovery of CVE-2024-23832 sent shockwaves through the Mastodon community. The platform’s developers have issued advisories, pinpointing every version vulnerable to this exploit. From versions prior to 3.5.17, through the 4.0.x, 4.1.x, to 4.2.x series, no iteration of Mastodon was left untouched by this flaw until the specified updates were made.
The person behind the unmasking of this vulnerability is none other than security researcher Arcanicanis. Mastodon, in response, has issued an advisory, cautioning users and administrators of the potential for account impersonation and takeover. The platform’s developers are working tirelessly to patch this vulnerability, promising more details by February 15, 2024, in a bid to give admins ample time to update their systems.
