The Mastodon side of the Fediverse experienced a shake-up today at the reveal of a massive vulnerability affecting the platform. Dubbed CVE-2024-23832, the summary reads as follows:

Due to insufficient origin validation in all Mastodon, attackers can impersonate and take over any remote account.

Every Mastodon version prior to 3.5.17 is vulnerable, as well as 4.0.x versions prior to 4.0.13, 4.1.x version prior to 4.1.13, and 4.2.x versions prior to 4.2.5.

The Mastodon core team is not publicly sharing further details at this time, out of concern that any further details would enable hackers to target unpatched servers. The vulnerability was originally reported on January 26th by a user named Arcanicanis.

Maybe someone needs to poke Mastodon’s security team to check their email, or check their spam folder if Gmail decided to eat a fairly important security disclosure. I can’t quite poke/mention anyone on mastodon.social either, because of the typical fediblock absurdity

Arcanicanis, status update about reporting the incident

It is speculated by members of the Mastodon Infosec community that two-factor Authentication could hypothetically be bypassed by such an exploit. The Mastodon team has released a patch to address the origin validation issue; admins are advised to upgrade to Mastodon v4.2.5 as soon as possible.