Mass remote follow being used as attack vector #11360
Comments
|
The attacker seems to be using the following commands: RAILS_ENV=production bin/tootctl accounts follow anyone@site.tld
RAILS_ENV=production bin/tootctl accounts create name --email e@ma.il --condirmed |
|
the feature itself is useful, but I think it should probably be scoped to local accounts only ;) |
|
https://FreeFediFollowers.ga/ is actively exploiting this in the wild. I recommend fellow fediverse nodes add a domain block for them. p.s. Adding a domain suspension (also enabling both block options under silence prior to selecting suspend in the moderation panel) will kick off sidekiq jobs and slowly remove all follows from all accounts. 😀 |
angristan
added a commit
to angristan/mastodon
that referenced
this issue
Aug 17, 2019
To (somewhat) limit mass remote follow. Fix mastodon#11360
mayaeh
pushed a commit
to mastodon-ja-l10n-team/mastodon
that referenced
this issue
Aug 18, 2019
To (somewhat) limit mass remote follow. Fix mastodon#11360
hiyuki2578
pushed a commit
to ProjectMyosotis/mastodon
that referenced
this issue
Oct 2, 2019
To (somewhat) limit mass remote follow. Fix mastodon#11360
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The command being used is:
(Screenshot taken from the attacker's feed; I haven't personally tried it :) )
Presumably the initial intent was just to artificially inflate follower numbers for specific accounts, but since posting this has been actively used against several servers.
Unclear whether simply suspending the remote server is sufficient to prevent impact as the admin interface states "The domain block will not prevent creation of account entries in the database" or whether firewall rules must also be employed.
The text was updated successfully, but these errors were encountered: