Mastodon addresses critical vulnerabilities, patching flaw allowing server takeover

The decentralized social network Mastodon has issued a security update to rectify critical vulnerabilities. One of the most critical, CVE-2023-36460, also known as "TootRoot", enables hackers to exploit the media attachments feature, creating or overwriting files on an instance. This vulnerability can facilitate DoS attacks and potentially leading to denial of service and arbitrary remote code execution, posing a significant threat to users and the wider Internet ecosystem. In a worst-case scenario, an attacker gaining control over multiple instances could potentially instruct users to download malicious applications, or even disrupting the entire network's infrastructure. While the vulnerability has not yet been exploited, the potential risk is high.

The flaw was discovered during a comprehensive penetration testing initiative, funded by the Mozilla Foundation and executed by a firm called Cure53. The recent security update addressed five vulnerabilities, including another severe issue, CVE-2023-36459, which permitted attackers to inject arbitrary HTML into oEmbed preview cards, potentially leading to Cross-Site Scripting (XSS) attacks and posing a threat to users who clicked on malicious links.

In addition to these, Mastodon fixed three other vulnerabilities of high and medium severity, including blind LDAP injection, denial of service through slow HTTP responses, and misleadingly formatted verified profile links. To safeguard their accounts, Mastodon users are advised to ensure that their subscribed instance installs the necessary updates promptly. The release of these patches coincides with Meta's launch of a new service aimed at attracting Twitter users who are leaving the platform.