18 votes

Mastodon social network patches critical flaws allowing server takeover

5 comments

  1. [3]
    giggle
    Link
    Here I will quote the critical part of the post: "The most critical vulnerability, CVE-2023-36460, allows hackers to exploit a flaw in the media attachments feature, creating and overwriting files...

    Here I will quote the critical part of the post: "The most critical vulnerability, CVE-2023-36460, allows hackers to exploit a flaw in the media attachments feature, creating and overwriting files in any location the software could access on an instance."

    Another cool thing about this, is that those vulns are found in a pentest funded by Mozilla.

    I chose to share this one on ~tech because ~comp seens to be less general. But in fact I believe those kind of topic deserve a new group ~security, its just an idea. What you all think about a specific group to talk about security related things like vulns, patchs, hacks maybe even opsec.

    11 votes
    1. [2]
      Corsy
      Link Parent
      More tangible evidence showing the need for penetration tests. The organization I work for is way behind, but at the very least they have 1+ annual pentests. Re: a security subgroup--there was...

      More tangible evidence showing the need for penetration tests. The organization I work for is way behind, but at the very least they have 1+ annual pentests.

      Re: a security subgroup--there was some consternation about creating one because "everyone who'll post there won't know what they're talking about"

      2 votes
      1. giggle
        Link Parent
        Well it seems that there is a lot of people on ~tech and ~comp which have deep understand of different things, I assume that those also know security related things and this will allow for...

        Well it seems that there is a lot of people on ~tech and ~comp which have deep understand of different things, I assume that those also know security related things and this will allow for constructive topics.

        1 vote
  2. [2]
    switchgear
    Link
    Slightly off topic, but I think the problem with Mastadon and Lemmy is that it's social media for the perpetually online tech savvy. It's a self limiting userbase because the barrier to entry is...

    Slightly off topic, but I think the problem with Mastadon and Lemmy is that it's social media for the perpetually online tech savvy. It's a self limiting userbase because the barrier to entry is higher than any other social media. In order to understand and appreciate it, you have to be a tech dweeb. It's like trying to convince the average person of the benefits/uses of crypto; even if they understand, they probably don't care. I also feel like, on some level, it's purpose just self referential. Like modern country music. The purpose of Mastadon and Lemmy is to talk about Mastadon and Lemmy.

    7 votes
    1. EgoEimi
      Link Parent
      I agree, but this would be off-topic. However, this brings up the interesting matter of the how UX intersects with security. The article has a telling final sentence: I hope it was written with...

      I agree, but this would be off-topic.

      However, this brings up the interesting matter of the how UX intersects with security. The article has a telling final sentence:

      To protect themselves, Mastodon users only need to ensure that their subscribed instance has installed the necessary updates promptly.

      I hope it was written with irony, because nobody is going to do this.

      Large instances with significant resources will keep up to date with security. Smaller hobby instances will lag behind. Malicious actors will exploit this fact.

      3 votes