“TootRoot” Mastodon vulnerabilities fixed: Admins, patch now!

One of Twitter’s big rivals, Mastodon, recently finished fixing four issues which (in the worst case) allowed for the creation of files on the instance’s server. Mastodon, whose main selling point is lots of separate communities living on different servers yet still able to communicate, was notified of the flaws by auditors from a penetration testing company.

CVE-2023-36460 is the aforementioned “worst case”, dubbed TootRoot. If you’re not familiar with Mastodon, user posts are called “Toots” (as opposed to tweets if you’re on Twitter). As with Twitter, you’re able to post media files and this is where the problem resided.

According to Bleeping Computer, an issue with Mastodon’s media processing code meant a wide variety of problems could happen as a result. Denial of Service and arbitrary remote code execution are mentioned, with researcher Kevin Beaumont focusing on how webshells could be created on instances processing the rogue Toot.

The other vulnerabilities included cross-site scripting (XSS), potentially used to hijack accounts or impersonate others (CVE-2023-36459), and a technique used for phishing through “verified profile links” (CVE-2023-36462). The final flaw allowed for Denial of Service (DoS) through slow HTTP responses (CVE-2023-36461).

As the patches are server updates, it’s essential that Mastodon admins set about securing their servers. The various issues were fixed in Mastodon versions 3.5.9, 4.0.5, and 4.1.3. Until you update, anything above Mastodon version 3.5.0 could be at risk.

Mastodon allows for the creation of many small (typically invite only) communities catering to all manner of interests and activities. There is a possibility that any security issue on such a platform could lead to specific forms of targeted harassment of at-risk communities.

Indeed, even the Mastodon instances populated by security folks aren’t exactly out of harm’s reach. Back in November of last year, someone discovered a way to steal passwords through an HTML injection vulnerability. Unfortunately for the good folks of Infosec Exchange, the vulnerability happened to affect the Glitch fork being used by…you’ve guessed it…Infosec Exchange. As a humorous side note, the issue was discovered due to people putting a “verified” icon in their username as a dig at Twitter.

Elsewhere, a misconfigured server was found to be scraping Mastodon user data. While the data scraped was nothing spectacular, instead including things like account and display name alongside profile pictures, it was a valuable reminder to be careful about what you post online.

Thankfully lots of Mastodon admins take these risks seriously, and most major instances should already be running the required patches for the various issues which have been found over time. If you’re looking to make the leap to Mastodon yourself, you should check out our guide which leads you through everything from account creation and server sign up to posting. Happy Tooting!


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

https://blog.malwarebytes.com/feed/