Mastodon fixes major security flaw that could have allowed system hijacking
Mastodon issues five major security fixes
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Social media challengerMastodonhas issued a fix for new fewer than five security vulnerabilities, the majority of which categorized as high or critical severity.
The flaws include CVE-2023-36460, which could have allowed an attacker to create and overwrite any file Mastodon has access to, allowing Denial of Service and arbitrary Remote Code Execution. The update confirms that versions 3.5.9, 4.0.5, and 4.1.3 contain a patch for this vulnerability.
Despite a brief overview, few details have been confirmed about the vulnerability. It is believed that an attacker might have been able to spreadmalwareusing the vulnerability, but it’s so far unclear whether there has been an active exploit.
Mastodon security patches
The description for another vulnerability, known as CVE-2023-36462, reads: “An attacker can craft a verified profile link using specific formatting to conceal arbitrary parts of the link, enabling it to appear to link to a different URL altogether.” This was considered to have the least severe consequences, marked as moderate.
These are the best endpoint protection software choices>Twitter vows to sue Meta over new rival Threads app>This new Mastodon app could be your best shot at moving on from Twitter
Through this, an attacker might have been able to reformat URLs to mask the fact that they were instead redirecting to phishing campaigns or malware sites.
Further high and critical issues fixed include a slowloris-type Denial of Service attack vulnerability, cross-site scripting (XSS) attacks, and the potential for an attacker to leak arbitrary attributes from the LDAP database.
While Mastodon is responsible for issuing the fixes, Cure53 has been credited with the penetration testing, with thanks to funding from the Mozilla Foundation.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
This comes at a time when Mastodon continues to attract new social media users as Twitter users look to abandon the once Musk-led platform. With new CEO Linda Yaccarino at the helm, positive changes are yet to materialize. At the same time, Meta’s new Threads platform is trying to sweep up ex-Twitter users.
With several years’ experience freelancing in tech and automotive circles, Craig’s specific interests lie in technology that is designed to better our lives, including AI and ML, productivity aids, and smart fitness. He is also passionate about cars and the decarbonisation of personal transportation. As an avid bargain-hunter, you can be sure that any deal Craig finds is top value!
Samsung plans record-breaking 400-layer NAND chip that could be key to breaking 200TB barrier for ultra large capacity AI hyperscaler SSDs
Adobe’s decision to eliminate perpetual licensing for its Elements software has stirred controversy among consumers
New fanless cooling technology enhances energy efficiency for AI workloads by achieving a 90% reduction in cooling power consumption
