Allowed abuse through messages with manipulated user handles #14419
Comments
|
Here is the JSON view of a reply sent by someone from the Misskey instance (example.org). I can see that the link handle and the displayed handle are different here as well. The content has been redacted for privacy. {
"id": "112974808957671390",
"created_at": "2024-08-17T01:39:38.195Z",
"in_reply_to_id": "112972745950554176",
"in_reply_to_account_id": "109419749463281498",
"sensitive": false,
"spoiler_text": "",
"visibility": "unlisted",
"language": null,
"uri": "https://example.org/notes/[0-9a-z]",
"url": "https://example.org/notes/[0-9a-z]",
"replies_count": 1,
"reblogs_count": 0,
"favourites_count": 1,
"edited_at": null,
"favourited": true,
"reblogged": false,
"muted": false,
"bookmarked": false,
"content": "\u003cp\u003e\u003ca href=\"https://catswords.social/@something\" class=\"u-url mention\" rel=\"nofollow noopener noreferrer\" target=\"_blank\"\u003e@gnh1201@catswords.social\u003c/a\u003e Lorem ipsum dolor sit amet, consectetur adipiscing elit. Integer nisl arcu, varius eget mollis eget, venenatis id lorem. Phasellus vestibulum maximus mollis. Nullam diam nulla, sollicitudin a laoreet. :blobcatyes:\u003c/p\u003e",
"filtered": [],
"reblog": null,
"account": { /*** account infomation ***/ },
} |
gnh1201
changed the title
|
|
|
Before addressing the issue, I noticed that the Lookup was not working properly on my test Misskey instance. This led me to check if the webfinger response from the remote server was corrupted during the Lookup attempt. It turned out that the response was indeed corrupted, and I believe this was likely the cause. It seems that the validation of the transmitted message operates independently from retrieving user information from the remote server. As a result, Misskey appears to use the tampered webfinger response as user information without suspicion. |
|
If someone swaps out a webfinger response with another user's, it could cause that user's avatar and nickname to appear as if they were the author. |
|
I can't determine why that was happened, but one possible situation is that fedrating updated information was delayed and someone had overlapped information on that. |
KisaragiEffective
added
⚠️bug?
|
@KisaragiEffective This is not just a delayed update. I have identified the cause and documented it in the security advisories. |
Summary
Recently, I discovered a strange issue occurring on one of the Misskey instances. Despite the author being different from the actual one, Misskey allowed the message to be received.
I suspect this issue might have been caused by a bug in the caching function of the CDN service I use. Additionally, I realized there was no verification process in place even when the author was manipulated. It became clear that relying solely on HTTP signatures, which are commonly used by ActivityPub applications, is insufficient to prevent this.
I believe there is a need for countermeasures to address this issue.
The issue is now resolved, so I can't reproduce it, but I have a screenshot as evidence.
Misskey version: 2024.3.1
The Misskey instance where the issue was confirmed is on a server managed by someone else beyond my authority. I have requested their cooperation to check this, but I have not received a response yet.
Purpose
This issue could potentially be exploited to forge messages. If further developed, it could become a security vulnerability.
Do you want to implement this feature yourself?
The text was updated successfully, but these errors were encountered: