Conversation

Notices

Kirino Kousaka (kirino@seal.cafe)'s status on Sunday, 03-Sep-2023 22:07:22 JST Kirino Kousaka
- cassidyclown
Be sure to update Pleroma, it fixes a pretty major potential exploit.
To give context:
I found a huuuuuge exploit in Pleroma which (in my opinion) had the capacity to surpass the recent one in terms of damage to the userbase.
The reason for this simply being it did not require token hijacking and was able to be exploited by any user on any instance with around 30-40 lines of code.
It would have been super scary (scarier than spooky Kirino!!) But I sent it to the right people and an update has gone through that fixes it
You can all thank and give me praise later ^^
Also big ups to @cassidyclown for helping me run some tests when I first discovered the exploit and @mint for actually digging through the dumpster fire of a backend and submitting a merge request.

In conversation about a year ago from seal.cafe permalink
- likes this.
- Kirino Kousaka (kirino@seal.cafe)'s status on Sunday, 03-Sep-2023 22:12:06 JST Kirino Kousaka
  in reply to
  @DocScranton To be clear, you don’t have to worry about it as a single-user instance but still update!
  I discovered the exploit while thinking of how to make my insult bot send out insults faster, I had the idea of reusing previous Media Attachment IDs so that it didn’t have to repeatedly upload files.
  I tested this and it worked so on a whim I said “Huh, I wonder if I could POST someone else’s Media Attachment ID in my API call” and that worked. It was then I thought “Huh… these IDs look like they’re just a sequential series of numbers… “
  I then had a VERY devious idea to see if private chats and DMs used the same list, which I found out they do. I coupled both these pieces of information together and thought “I wonder if I could attach a someone else’s private Media Attachment ID to a public post” and it turns out YES, YOU CAN
  In conclusion: On any public instances NO photos were actually private and it would only take a bad actor looping through all IDs in the object table until he found the photos for them to be leaked.
  My initial report can be found here: https://docs.google.com/document/d/1akVy15fpksV3QulTz5f37XeaR0Xxw-TnVc9TFSL_Rus/
  In conversation about a year ago permalink
  Attachments
  1. Untitled attachment
  2. First Draft Report of Media Attachment Exploitation
    
    FINAL Draft Sequentially Successive Identifiers and Their Relation to Media Exploitation Bug Report by Kirino Abstract I have identified what I believe to be a critical issue in uploaded media’s security. When POSTing a status through “v1/statuses” there are no checks performed on potential Me...
  likes this.
- Rusty Crab (rustycrab@shitposter.club)'s status on Sunday, 03-Sep-2023 22:18:53 JST Rusty Crab
  in reply to
  @Kirino @cassidyclown @DocScranton @mint REMINDER NOT TO CLICK GOOGLE DRIVE LINKS WHILE LOGGED IN UNLESS YOU LIKE DOXING YOURSELF
  
  In conversation about a year ago permalink
  
  likes this.
- Kirino Kousaka (kirino@seal.cafe)'s status on Sunday, 03-Sep-2023 22:26:02 JST Kirino Kousaka
  in reply to
  I warned all of you >:D I’ll break out my 1337 speak translator!
  
  In conversation about a year ago permalink
- bot :kiwi_dumbbell: (bot@seal.cafe)'s status on Sunday, 03-Sep-2023 22:26:02 JST bot :kiwi_dumbbell:
  in reply to
  Btw I think this was sort of already known, that lamp guy did this for mastodon social, he gathered links for every single file upload including those in DMs and posted it lol.
  
  In conversation about a year ago permalink
- (mint@ryona.agency)'s status on Sunday, 03-Sep-2023 22:26:02 JST
  in reply to
  @bot @cassidyclown @DocScranton @Kirino @RustyCrab I think that was due to their faulty s3 setup and not even necessarily Mastodon bug.
  
  In conversation about a year ago permalink
- bot :kiwi_dumbbell: (bot@seal.cafe)'s status on Sunday, 03-Sep-2023 22:26:03 JST bot :kiwi_dumbbell:
  in reply to
  Hacker Kirino!
  
  In conversation about a year ago permalink
- Kirino Kousaka (kirino@seal.cafe)'s status on Sunday, 03-Sep-2023 22:26:04 JST Kirino Kousaka
  in reply to
  Good point, will remove the link just in case for other people.
  
  In conversation about a year ago permalink
- (mint@ryona.agency)'s status on Sunday, 03-Sep-2023 22:31:29 JST
  in reply to
  - cassidyclown
  - Andrew :latin_cross:
  @CyberShell @cassidyclown @Kirino :gleason: haven't backported the patch yet so yes.
  
  In conversation about a year ago permalink
- Andrew :latin_cross: (cybershell@nicecrew.digital)'s status on Sunday, 03-Sep-2023 22:31:30 JST Andrew :latin_cross:
  in reply to
  - cassidyclown
  Is Rebased/SoapBox vulnerable?
  
  In conversation about a year ago permalink
- Kirino Kousaka (kirino@seal.cafe)'s status on Sunday, 03-Sep-2023 22:42:23 JST Kirino Kousaka
  in reply to
  I think Alex may have me muted/blocked (which is completely fair lmao) so maybe re-post the PDF at him and tell him about v2.5.5 of Pleroma :P
  
  In conversation about a year ago permalink
  
  likes this.
- Andrew :latin_cross: (cybershell@nicecrew.digital)'s status on Sunday, 03-Sep-2023 22:42:24 JST Andrew :latin_cross:
  in reply to
  cc @alex
  
  In conversation about a year ago permalink
- NonPlayableClown (nonplayableclown@postnstuffds.lol)'s status on Sunday, 03-Sep-2023 22:42:57 JST NonPlayableClown
  in reply to
  Why do you think Alex blocked you?
  What may have caused it 🤣
  
  In conversation about a year ago permalink
- Kirino Kousaka (kirino@seal.cafe)'s status on Sunday, 03-Sep-2023 22:42:57 JST Kirino Kousaka
  in reply to
  5 reasons off the top of my head:
  1. The comfo speak a while back
  2. The excessive bigotry on my timeline
  3. Demanding he add ridiculous features while also not explaining them
  4. I think I said for every cow he didn’t eat I would eat one, just to show him who is boss
  5. I threatened to replace his Ethernet cables with Cat2s so his network would be slow and he wouldn’t be able to figure out why.
  In conversation about a year ago permalink
  
  likes this.
- Moon (moon@shitposter.club)'s status on Sunday, 03-Sep-2023 23:00:58 JST Moon
  in reply to
  - cassidyclown
  @Kirino @cassidyclown @mint Thank you for your service.
  
  In conversation about a year ago permalink
  
  likes this.

Public

Conversation

Notices

Feeds