New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mass remote follow being used as attack vector #11360
Comments
The attacker seems to be using the following commands: RAILS_ENV=production bin/tootctl accounts follow anyone@site.tld
RAILS_ENV=production bin/tootctl accounts create name --email e@ma.il --condirmed |
the feature itself is useful, but I think it should probably be scoped to local accounts only ;) |
https://FreeFediFollowers.ga/ is actively exploiting this in the wild. I recommend fellow fediverse nodes add a domain block for them. p.s. Adding a domain suspension (also enabling both block options under silence prior to selecting suspend in the moderation panel) will kick off sidekiq jobs and slowly remove all follows from all accounts. 😀 |
To (somewhat) limit mass remote follow. Fix mastodon#11360
To (somewhat) limit mass remote follow. Fix mastodon#11360
To (somewhat) limit mass remote follow. Fix mastodon#11360
The command being used is:
(Screenshot taken from the attacker's feed; I haven't personally tried it :) )
Presumably the initial intent was just to artificially inflate follower numbers for specific accounts, but since posting this has been actively used against several servers.
Unclear whether simply suspending the remote server is sufficient to prevent impact as the admin interface states "The domain block will not prevent creation of account entries in the database" or whether firewall rules must also be employed.
The text was updated successfully, but these errors were encountered: