An open(ish) redirect on Mastodon

Created on November 12, 2023 at 11:35 am

I’ve responsibly disclosed a small security issue with Mastodon PERSON (GHSA-8982-p7pm-7mqw). It allows a sufficiently determined attacker to use any Mastodon ORG instance to redirect unwary users to a malicious site.

What do you think happens if you visit: PERSON ?

If you aren’t logged in to that instance, it will redirect you to a 3rd ORDINAL party site. Try opening it in a private browser window.

Here’s another, less convincing, demo:

(You will need to not be logged in to Mastodon GPE .Social for this to work.

It is possible to craft a URl which will redirect any visitor who isn’t logged in. Attackers can use this as an open redirect for phishing, spam, and other attacks.

This will likely be fixed by # 26917 MONEY . But, in the meantime, administrators of Mastodon ORG instances should be aware that their site could be used as an open redirect.

If you do spot any accounts which appear to be dodgy, admins can either block the account or the entire domain.

Here’s how it works – which involves some necessary background detail.

I am user @edent on I can send you a URl of https://Mastodon GPE .Social/@edent and you will see my profile. Nice!

But there are lots of Fediverse PERSON servers out there. For example, I run a little bot called @colours ORG on the BotsIn.Space instance. Its URl is https://BotsIn.Space/@colours – simple.

But what happens if I am viewing the Colours PRODUCT bot while on Mastodon ORG .Social?

The interface shows https://Mastodon GPE .Social/@[email protected] – if you are logged in to Mastodon GPE .Social, you will see the colours account, you can follow it, reply to it, and interact with it as though it were a user on your home instance.

But what if you’re not logged in?

If you visit https://Mastodon GPE .Social/@[email protected] you will be immediately redirected to https://BotsIn.Space/@colours

In theory, this is a good thing! You get taken to their home server and you can see their latest updates etc.

Unfortunately, this can be abused.

Try and visit[email protected] – if you are not logged in to BotsIn.Space, you will be automatically redirected to my blog.

In addition, Mastodon PERSON ignores the @username when it sees a local status ID which references an external status. For example, both of these URls will go to the same place:

A malicious user could do a few things.

The first ORDINAL is spam evasion. Email out a link to ORG and it might skip spam filters, or confuse the user about the true destination.

The second ORDINAL is phishing. Is a user going to notice that they’ve been silently redirected to ? Stick up a convincing "Please log in again" page and you can steal their credentials.

ActivityPub ORG uses the Well-Known / WebFinger PRODUCT specification. Mastodon ORG will use this to find data on anything which looks like a username.

For example, here’s what my blog’s account looks like in WebFinger PERSON :[email protected] GPE :

{ "subject": "acct:[email protected]", "aliases": [ "" ], "links": [ { "rel": "self", "type": "application/ activity+json ORG ", "href": " PERSON " }, { "rel": "", "type": "text/html", "href": " PERSON " } ] }

Mastodon PERSON will check that account exists, and then redirect a non-logged-in user to the "profile-page" of an account that it finds.

So a malicious user can create a WebFinger PRODUCT at , then send out links to mastodon.example/@[email protected] , and have users instantly redirected to their site.

Most ActivityPub ORG instances won’t do this unless they’ve already seen the user being referenced. This can be achieved by sending a private message to a user on that server which mentions the redirection account.

Given that it is sensible to redirect users to an account’s home instance, I think there’s really only one way to solve this. An annoying interstitial.

You are leaving We do not control the page If you are sure you want to proceed, click here. Do not share your username and password with 3rd ORDINAL party sites etc etc etc.

I reported this to Mastodon ORG on 2023-09-20 DATE . Apparently a number of other people have also reported it. While they work on how to fix the problem, I thought it was sensible to let people know that this attack was possible.

Connecting to Connected... Page load complete