Conversation

Notices

1. Alex Gleason (alex@gleasonator.com)'s status on Friday, 26-May-2023 06:22:30 JST Alex Gleason
   location /api/pleroma/admin { return 403; }
   location /api/v1/pleroma/admin { return 403; }
   • Alex Gleason (alex@gleasonator.com)'s status on Friday, 26-May-2023 06:22:29 JST Alex Gleason

     in reply to

     • Nekobit :malloc:
     @nekofag The leak was dumped from Admin API. Therefore, the attacker obtained an OAuth token for an admin user. How did they do that? Regardless, shutting down admin API will minimize the attack surface. Long term the right thing to do is to whitelist certain IPs to access it.
     cool_boy_mew likes this.
   • Nekobit :malloc: (nekofag@rdrama.cc)'s status on Friday, 26-May-2023 06:22:30 JST Nekobit :malloc:

     in reply to
     @alex is this the workaround to the vulnerability?
   • Alex Gleason (alex@gleasonator.com)'s status on Friday, 26-May-2023 08:57:28 JST Alex Gleason

     in reply to

     • Nekobit :malloc:
     • feld
     @feld @nekofag Mastodon rejects authorizations if the scope contains "admin" in it.
   • 🌲Number 1 Pleroma Criminal on XBL 🇵🇱|🇺🇸 (phenomx6@fedi.pawlicker.com)'s status on Friday, 26-May-2023 08:57:28 JST 🌲Number 1 Pleroma Criminal on XBL 🇵🇱|🇺🇸

     in reply to

     • Nekobit :malloc:
     • feld
     @alex @feld @nekofag how's misskey with this
   • Alex Gleason (alex@gleasonator.com)'s status on Friday, 26-May-2023 08:57:29 JST Alex Gleason

     in reply to

     • Nekobit :malloc:
     • feld
     @feld @nekofag Most apps don't request admin scope. Only Soapbox and AdminFE that we know of.
   • feld (feld@bikeshed.party)'s status on Friday, 26-May-2023 08:57:30 JST feld

     in reply to

     • Nekobit :malloc:
     I'm gonna guess targeted attack, maybe tricked an admin into trying a new (backdoored) mastodon app and they slurped up their token that way