Summary
When fetching remote statuses, Mastodon doesn't check that the response from the remote server has a Content-Type
header value of the Activity Streams media type, which allows a threat actor to upload a crafted Activity Streams document to a remote server and make a Mastodon server fetch it, if the remote server accepts arbitrary user uploads.
Details
Some federated server implementations allow their users to upload arbitrary documents, including JSON documents, as attachments to posts.
On the other hand, Mastodon's FetchRemoteStatusService
did not check that the response from the remote server had a Content-Type
header value of the Activity Streams media type (i.e. application/ld+json
with a profile value of https://www.w3.org/ns/activitystreams
, or application/activity+json
). This implies that a Mastodon server can fetch a user-uploaded document on a remote server and accept it as an Activity Streams object unless it's otherwise malformed.
FetchRemoteStatusService#trustworthy_attribution?
trusts the attributedTo
property of a fetched object as long as the domain of the attributed actor is the same as the original request URI. Consequently, a threat actor with a low-privileged account on a remote server can upload an Activity Streams document with a crafted attributedTo
property to the remote server and make a Mastodon server fetch it in order to impersonate another account on the same remote server.
FetchRemoteActorService
doesn't check the Content-Type
either. But it requires that the remote account is resolvable from a canonical acct:
URI via WebFinger, so the service would reject a user-uploaded actor objects (unless the threat actor somehow manages to trick the remote server's well-known endpoint into resolving to the fake actor document).
JsonLdHelper#fetch_resource
rejects the fetched resource if the id
of the top-level node of the JSON-LD document doesn't match the original request URL, which increases complexity of the exploit as the threat actor needs an ability to predict the URI of the uploaded documents before uploading them or to edit the uploaded documents without changing the URI. For example, Misskey uses UUIDs in the URIs of uploaded documents so it's hard to impersonate accounts on a Misskey instance against Mastodon.
Impact
The vulnerability allows a threat actor to impersonate an account on a remote server that satisfies all of the following properties:
- Allows the attacker to register an account
- Accepts arbitrary user-uploaded documents and places them on the same domain as the ActivityPub actors
- Serves user-uploaded document in response to requests with an
Accept
header value of the Activity Streams media type
The vulnerability may also affect accounts on server implementations that don't normally serve arbitrary user-uploaded documents, in combination with a vulnerability of the other implementation like GHSA-9928-3cp5-93fm which can make the server serve arbitrary document,
Summary
When fetching remote statuses, Mastodon doesn't check that the response from the remote server has a
Content-Type
header value of the Activity Streams media type, which allows a threat actor to upload a crafted Activity Streams document to a remote server and make a Mastodon server fetch it, if the remote server accepts arbitrary user uploads.Details
Some federated server implementations allow their users to upload arbitrary documents, including JSON documents, as attachments to posts.
On the other hand, Mastodon's
FetchRemoteStatusService
did not check that the response from the remote server had aContent-Type
header value of the Activity Streams media type (i.e.application/ld+json
with a profile value ofhttps://www.w3.org/ns/activitystreams
, orapplication/activity+json
). This implies that a Mastodon server can fetch a user-uploaded document on a remote server and accept it as an Activity Streams object unless it's otherwise malformed.FetchRemoteStatusService#trustworthy_attribution?
trusts theattributedTo
property of a fetched object as long as the domain of the attributed actor is the same as the original request URI. Consequently, a threat actor with a low-privileged account on a remote server can upload an Activity Streams document with a craftedattributedTo
property to the remote server and make a Mastodon server fetch it in order to impersonate another account on the same remote server.FetchRemoteActorService
doesn't check theContent-Type
either. But it requires that the remote account is resolvable from a canonicalacct:
URI via WebFinger, so the service would reject a user-uploaded actor objects (unless the threat actor somehow manages to trick the remote server's well-known endpoint into resolving to the fake actor document).JsonLdHelper#fetch_resource
rejects the fetched resource if theid
of the top-level node of the JSON-LD document doesn't match the original request URL, which increases complexity of the exploit as the threat actor needs an ability to predict the URI of the uploaded documents before uploading them or to edit the uploaded documents without changing the URI. For example, Misskey uses UUIDs in the URIs of uploaded documents so it's hard to impersonate accounts on a Misskey instance against Mastodon.Impact
The vulnerability allows a threat actor to impersonate an account on a remote server that satisfies all of the following properties:
Accept
header value of the Activity Streams media typeThe vulnerability may also affect accounts on server implementations that don't normally serve arbitrary user-uploaded documents, in combination with a vulnerability of the other implementation like GHSA-9928-3cp5-93fm which can make the server serve arbitrary document,