An open(ish) redirect on Mastodon

By admin
I’ve responsibly disclosed a small security issue with

Mastodon
PERSON

(GHSA-8982-p7pm-7mqw). It allows a sufficiently determined attacker to use any

Mastodon
ORG

instance to redirect unwary users to a malicious site.

What do you think happens if you visit:


https://mastodon.social/@PasswordReset/111285045683598517/admin
PERSON

?

If you aren’t logged in to that instance, it will redirect you to a

3rd
ORDINAL

party site. Try opening it in a private browser window.

Here’s another, less convincing, demo:

https://mastodon.social/@mastodonopenredirect.wordpress.com@mastodonopenredirect.wordpress.com

(You will need to not be logged in to

Mastodon
GPE

.Social for this to work.

It is possible to craft a URl which will redirect any visitor who isn’t logged in. Attackers can use this as an open redirect for phishing, spam, and other attacks.

This will likely be fixed by #

26917
MONEY

. But, in the meantime, administrators of

Mastodon
ORG

instances should be aware that their site could be used as an open redirect.

If you do spot any accounts which appear to be dodgy, admins can either block the account or the entire domain.

Here’s how it works – which involves some necessary background detail.

I am user @edent on Mastodon.social. I can send you a URl of

https://Mastodon
GPE

.Social/@edent and you will see my profile. Nice!

But there are lots of

Fediverse
PERSON

servers out there. For example, I run a little bot called

@colours
ORG

on the BotsIn.Space instance. Its URl is https://BotsIn.Space/@colours – simple.

But what happens if I am viewing the

Colours
PRODUCT

bot while on

Mastodon
ORG

.Social?

The interface shows

https://Mastodon
GPE

.Social/@[email protected] – if you are logged in to

Mastodon
GPE

.Social, you will see the colours account, you can follow it, reply to it, and interact with it as though it were a user on your home instance.

But what if you’re not logged in?

If you visit

https://Mastodon
GPE

.Social/@[email protected] you will be immediately redirected to https://BotsIn.Space/@colours

In theory, this is a good thing! You get taken to their home server and you can see their latest updates etc.

Unfortunately, this can be abused.

Try and visit https://botsin.space/@[email protected] – if you are not logged in to BotsIn.Space, you will be automatically redirected to my blog.

In addition,

Mastodon
PERSON

ignores the @username when it sees a local status ID which references an external status. For example, both of these URls will go to the same place:

A malicious user could do a few things.

The

first
ORDINAL

is spam evasion. Email out a link to

mastodon.social/@user@buy_illegal_puppies.com
ORG

and it might skip spam filters, or confuse the user about the true destination.

The

second
ORDINAL

is phishing. Is a user going to notice that they’ve been silently redirected to nnast0d0n.social ? Stick up a convincing "Please log in again" page and you can steal their credentials.


ActivityPub
ORG

uses the Well-Known /

WebFinger
PRODUCT

specification.

Mastodon
ORG

will use this to find data on anything which looks like a username.

For example, here’s what my blog’s account looks like in

WebFinger
PERSON

:


https://shkspr.mobi/blog/.well-known/webfinger?resource=acct:[email protected]
GPE

:

{ "subject": "acct:[email protected]", "aliases": [ "https://shkspr.mobi/blog/@blog" ], "links": [ { "rel": "self", "type": "application/

activity+json
ORG

", "href": "

https://shkspr.mobi/blog/@blog
PERSON

" }, { "rel": "http://webfinger.net/rel/profile-page", "type": "text/html", "href": "

https://shkspr.mobi/blog/@blog
PERSON

" } ] }


Mastodon
PERSON

will check that account exists, and then redirect a non-logged-in user to the "profile-page" of an account that it finds.

So a malicious user can create a

WebFinger
PRODUCT

at evil.com , then send out links to mastodon.example/@[email protected] , and have users instantly redirected to their site.

Most

ActivityPub
ORG

instances won’t do this unless they’ve already seen the user being referenced. This can be achieved by sending a private message to a user on that server which mentions the redirection account.

Given that it is sensible to redirect users to an account’s home instance, I think there’s really only one way to solve this. An annoying interstitial.

You are leaving XYZ.social. We do not control the page Illegal_Ivory_Smuggling.com. If you are sure you want to proceed, click here. Do not share your username and password with

3rd
ORDINAL

party sites etc etc etc.

I reported this to

Mastodon
ORG

on

2023-09-20
DATE

. Apparently a number of other people have also reported it. While they work on how to fix the problem, I thought it was sensible to let people know that this attack was possible.