Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Moderator identity disclosure in Mastodon when approving appeal of sensitive marked statuses

Advisory Info

  • Vendor: Mastodon gGmbH
  • Product: Mastodon
  • Affected Versions: >= 3.5.0 < 3.5.3
  • Patched Versions: 3.5.3
  • Vendor Publication Date: 2022-05-26

Vulnerability Info

Summary

Mastodon v3.5.0 introduced the ability for users to appeal moderation actions taken by moderators on their instance.

Each Mastodon instance has a special account that represents the instance (often referred to as the representative account or instance actor) which is based on the instance's domain name (LOCAL_DOMAIN).

The appeals feature uses the representative account to prevent the identity of the acting moderator from being revealed in the edit histories of the appealed posts they approve or deny.

Between Mastodon versions 3.5.0 and 3.5.3, the undo_mark_statuses_as_sensitive method in approve_appeal_service.rb used the logged-in user context @current_account.id instead of the representative account context representative_account.id in the call to UpdateStatusService:

diff --git a/app/services/approve_appeal_service.rb b/app/services/approve_appeal_service.rb
index 37a08b46e386..96aaaa7d078b 100644
--- a/app/services/approve_appeal_service.rb
+++ b/app/services/approve_appeal_service.rb
@@ -52,8 +52,9 @@ def undo_delete_statuses!
   end

   def undo_mark_statuses_as_sensitive!
+    representative_account = Account.representative
     @strike.statuses.includes(:media_attachments).each do |status|
-      UpdateStatusService.new.call(status, @current_account.id, sensitive: false) if status.with_media?
+      UpdateStatusService.new.call(status, representative_account.id, sensitive: false) if status.with_media?
     end
   end

This resulted in moderator identity disclosure when a moderator or admin approved the appeal of a user whose media post was marked as sensitive. The user who performed the reversal would have been recorded in the edit history for the post which can be accessed by anyone who can see the post.

Steps to Reproduce

  1. As a user on a Mastodon instance (herein https://instance), make a status update with a photo or video attached.

  2. As a moderator or admin on the same instance, open the status update in the admin panel and select "Report" followed by "Mark as sensitive".

  3. As the poster, browse to https://instance/disputes/strikes, select the strike, and submit the appeal form.

  4. As the moderator, browse to https://instance/admin/disputes/appeals?status=pending, select the appeal, and approve it.

  5. As either user, browse to the status update and select the "Edited" dropdown. Observe that the acting moderator's identity is shown in the edit history instead of the representative account's identity.

Impact

Mastodon users whose media posts were marked as sensitive by moderators and later successfully appealed would have been able to identify the user who performed the reversal.

Recommendations

If you run a Mastodon server, you should update to Mastodon version 3.5.3 or above. Other ActivityPub server implementations are not affected.

Timeline

  • 2022-04-20: Vulnerability discovery
  • 2022-04-20: Advisory and patch sent to vendor
  • 2022-04-21: Vendor acknowledgment
  • 2022-05-26: Vendor releases fix in v3.5.3 (PR, changelog)