An open(ish) redirect on Mastodon
I've responsibly disclosed a small security issue with Mastodon (GHSA-8982-p7pm-7mqw). It allows a sufficiently determined attacker to use any Mastodon instance to redirect unwary users to a malicious site.
What do you think happens if you visit: https://mastodon.social/@PasswordReset/111285045683598517/admin?
If you aren't logged in to that instance, it will redirect you to a 3rd party site. Try opening it in a private browser window.
Here's another, less convincing, demo:
https://mastodon.social/@mastodonopenredirect.wordpress.com@mastodonopenredirect.wordpress.com (You will need to not be logged in to Mastodon.Social for this to work.
It is possible to craft a URl which will redirect any visitor who isn't logged in. Attackers can use this as an open redirect for phishing, spam, and other attacks.
Remediation
This will likely be fixed by #26917. But, in the meantime, administrators of Mastodon instances should be aware that their site could be used as an open redirect.
If you do spot any accounts which appear to be dodgy, admins can either block the account or the entire domain.
Background
Here's how it works - which involves some necessary background detail.
I am user @edent
on Mastodon.social. I can send you a URl of https://Mastodon.Social/@edent and you will see my profile. Nice!
But there are lots of Fediverse servers out there. For example, I run a little bot called @colours
on the BotsIn.Space instance. Its URl is https://BotsIn.Space/@colours - simple.
But what happens if I am viewing the Colours bot while on Mastodon.Social?
The interface shows https://Mastodon.Social/@colours@BotsIn.Space - if you are logged in to Mastodon.Social, you will see the colours account, you can follow it, reply to it, and interact with it as though it were a user on your home instance.
But what if you're not logged in?
If you visit https://Mastodon.Social/@colours@BotsIn.Space you will be immediately redirected to https://BotsIn.Space/@colours
In theory, this is a good thing! You get taken to their home server and you can see their latest updates etc.
Unfortunately, this can be abused.
Try and visit https://botsin.space/@blog@shkspr.mobi - if you are not logged in to BotsIn.Space, you will be automatically redirected to my blog.
In addition, Mastodon ignores the @username
when it sees a local status ID which references an external status. For example, both of these URls will go to the same place:
- https://mastodon.social/@colours@botsin.space/111323978746693908
- https://mastodon.social/@RandomLettersAnd1234/111323978746693908
Impact
A malicious user could do a few things.
The first is spam evasion. Email out a link to mastodon.social/@user@buy_illegal_puppies.com
and it might skip spam filters, or confuse the user about the true destination.
The second is phishing. Is a user going to notice that they've been silently redirected to nnast0d0n.social
? Stick up a convincing "Please log in again" page and you can steal their credentials.
Why This Works
ActivityPub uses the Well-Known / WebFinger specification. Mastodon will use this to find data on anything which looks like a username.
For example, here's what my blog's account looks like in WebFinger: https://shkspr.mobi/blog/.well-known/webfinger?resource=acct:blog@shkspr.mobi:
JSON{
"subject": "acct:blog@shkspr.mobi",
"aliases": [
"https://shkspr.mobi/blog/@blog"
],
"links": [
{
"rel": "self",
"type": "application/activity+json",
"href": "https://shkspr.mobi/blog/@blog"
},
{
"rel": "http://webfinger.net/rel/profile-page",
"type": "text/html",
"href": "https://shkspr.mobi/blog/@blog"
}
]
}
Mastodon will check that account exists, and then redirect a non-logged-in user to the "profile-page" of an account that it finds.
So a malicious user can create a WebFinger at evil.com
, then send out links to mastodon.example/@SexyFunTimes@evil.com
, and have users instantly redirected to their site.
Most ActivityPub instances won't do this unless they've already seen the user being referenced. This can be achieved by sending a private message to a user on that server which mentions the redirection account.
Remediation
Given that it is sensible to redirect users to an account's home instance, I think there's really only one way to solve this. An annoying interstitial.
You are leaving XYZ.social. We do not control the page Illegal_Ivory_Smuggling.com. If you are sure you want to proceed, click here. Do not share your username and password with 3rd party sites etc etc etc.
I reported this to Mastodon on 2023-09-20. Apparently a number of other people have also reported it. While they work on how to fix the problem, I thought it was sensible to let people know that this attack was possible.
Timeline
- 2023-09-20 Disclosed on GitHub
- 2023-10-22 Added more details and sought agreement to publish
- 2023-10-29 Checked with various independent Mastodon server admins to see if they were aware of this behaviour - most were not
- 2023-10-30 Published
chrysn says:
@blog @colours How about we don't try to take blame for everything someone could conceivably do wrong? It has always been the taught rule that you check the URI in the address bar before entering bearer credentials (and if we want to do better, abolish them). Mastodon is already doing users a disservice by teaching that you can trust link texts. Let's not make this worse by teaching you can trust anything else than the address bar.
More comments on Mastodon.