Full Report
Mastadon is a decentralized Twitter-like replacement. Instead of having a single website, there are multiple servers that are individually ran. The instances communicate via HTTP requests with a signature to provide authenticity. The public keys for users can used to easily verify a user. The signature validation works by getting this public key then verifying that the signature matches the user and domain. The search looks for the username (@donald) and the domain (@mastadon.com) to find figure out where to query the public key from. However, the parsing of the domain and the username is busted. When parsing the domain, all slashes are removed from it! So, the domain mastodon.so/cial would become mastodon.social when it is parsed. This allows for the spoofing of requests from arbitrary users across different servers. To exploit this, an attacker would need access to a tld that's different than the actual domain but close to it. For instance, a user with mastodon.so could spoof into mastodon.social. They used this to send private DMs as other users, which is pretty fire. Great bug find!
Analysis Summary
# Vulnerability: Mastodon Domain Normalization Arbitrary Account Impersonation
## CVE Details
- **CVE ID:** CVE-2023-42451
- **CVSS Score:** 9.4 (Critical) - *Based on high impact to integrity and confidentiality via network vector.*
- **CWE:** CWE-20: Improper Input Validation / CWE-178: Improper Handling of Case Sensitivity (Normalization Issue)
## Affected Systems
- **Products:** Mastodon (Decentralized social networking software)
- **Versions:** All versions prior to the September 19, 2023 security release.
- **Configurations:** Any instance processing federated ActivityPub traffic with HTTP signatures.
## Vulnerability Description
The flaw exists in Mastodon's domain normalization logic. When parsing a user's domain to verify an HTTP signature, the code intended to strip trailing slashes (e.g., `example.com/`) but instead used a global deletion method (`domain.delete('/')`). This caused all forward slashes within a string to be removed.
An attacker can exploit this by registering a domain that, when its suffix is appended with a slash and the remaining characters of a target domain, matches a legitimate instance. For example, the domain `mastodon.so` plus a path of `/cial` would be normalized to `mastodon.social`. This allows the attacker to provide their own public key to verify signatures for accounts belonging to the impersonated instance.
## Exploitation
- **Status:** PoC available; verified by researcher in a live environment (registering `[redacted].co` to spoof `[redacted].com`).
- **Complexity:** Medium (Requires registration of specific TLDs or subdomains that serve as a textual prefix to target instances).
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Attacker can receive and read private mentions/DMs intended for the spoofed user).
- **Integrity:** High (Attacker can send DMs, publish "toots," and perform "follow" actions as the spoofed user).
- **Availability:** Low
## Remediation
### Patches
Update to the following versions or higher:
- **v3.5.14**
- **v4.0.10**
- **v4.1.8**
- **v4.2.0-rc2** (or the stable **v4.2.0** release)
### Workarounds
No practical manual workarounds exist other than upgrading the software, as the vulnerability resides in the core signature verification logic.
## Detection
- **Indicators of Compromise:** Unusual activity from high-profile accounts or an influx of requests from instances that use "prefix" domains (e.g., if you are `example.social`, watch for traffic from `example.so`).
- **Detection methods and tools:**
- Admins can check their database for remote accounts registered with "prefix" domains.
- Use the researcher's provided [Python script](https://gist.github.com/scumjr/e64ba1de3697a5d9b2a30f5002bab8aa) to identify if your instance domain has a TLD-based prefix that is vulnerable to registration.
## References
- **Vendor Advisory:** [https://github.com/mastodon/mastodon/security/advisories/GHSA-v3xf-c9qf-j667](https://github.com/mastodon/mastodon/security/advisories/GHSA-v3xf-c9qf-j667)
- **Technical Write-up:** [https://scumjr.github.io/2023/11/07/usurping-mastodon-instances/](https://scumjr.github.io/2023/11/07/usurping-mastodon-instances/)
- **Patch Commit:** [https://github.com/mastodon/mastodon/commit/eeab3560fc0516070b3fb97e089b15ecab1938c8](https://github.com/mastodon/mastodon/commit/eeab3560fc0516070b3fb97e089b15ecab1938c8)