Summary
Under certain circumstances, attackers can exploit a flaw in domain name normalization to spoof domains they do not own.
Found and reported by Gabriel Campana
Details
Old domain name normalization code in Mastodon incorrectly stripped / from domain names, removing any occurrence from the string, not just occurrences at the end of the string.
This allows attackers to impersonate domains, provided they are able to register a domain name that happens to be a textual prefix of the impersonated domain.
Impact
Attackers can spoof domains they do not own. More details to be announced.
scumjr Reporter
Summary
Under certain circumstances, attackers can exploit a flaw in domain name normalization to spoof domains they do not own.
Found and reported by Gabriel Campana
Details
Old domain name normalization code in Mastodon incorrectly stripped
/from domain names, removing any occurrence from the string, not just occurrences at the end of the string.This allows attackers to impersonate domains, provided they are able to register a domain name that happens to be a textual prefix of the impersonated domain.
Impact
Attackers can spoof domains they do not own. More details to be announced.