Executive Summary

This vulnerability in Mastodon allows any registered local user to access downloadable lists of severed relationships (lost followers and followed users) caused by moderation actions for any other user's severance events. The issue arises because the code fails to verify that the requesting user owns the severance event before returning the data. Although the leaked information does not include the names of the accounts that lost followers or follows, it still exposes sensitive relationship information. This flaw was fixed by restricting access so that users can only retrieve severed relationship events associated with their own account. [2, 1]

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can impact you by exposing sensitive information about your social network relationships to other registered users on the Mastodon server. Specifically, other users could enumerate and access lists of your lost followers and followed users caused by moderation actions without your permission. This unauthorized disclosure affects the confidentiality of your relationship data, potentially leading to privacy concerns or unwanted exposure of your social connections. [2]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to access severed relationship events for accounts other than the currently authenticated user via the endpoints `/severed_relationships/:id/following` or `/severed_relationships/:id/followers` requesting CSV format. If unauthorized access is possible and the server returns data instead of a 404 Not Found response, the system is vulnerable. Specific commands would involve authenticated HTTP requests (e.g., using curl) to these endpoints with IDs of severance events not belonging to the authenticated user, checking if data is returned or access is denied. For example: `curl -i -H "Accept: text/csv" -b cookie.txt https://your.mastodon.instance/severed_relationships/<event_id>/followers` where `<event_id>` is an event ID not owned by the logged-in user. Receiving data indicates vulnerability, while a 404 response indicates proper access control. [1, 3, 4]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Mastodon to a fixed version: v4.3.17, v4.4.11, or v4.5.4 or later. These versions include patches that restrict access to severed relationship events to only those associated with the current authenticated user, preventing unauthorized enumeration of severance events. Until the upgrade can be applied, restrict access to the affected endpoints and monitor for suspicious access patterns. Applying the official patches or updates from Mastodon is the recommended and effective mitigation. [2]

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthorized access to sensitive relationship data between users, potentially leading to exposure of personal information without proper consent. Such unauthorized disclosure of user relationship data could violate privacy requirements under regulations like GDPR and HIPAA, which mandate strict controls on personal data access and confidentiality. Therefore, the vulnerability negatively impacts compliance by enabling data exposure that should be restricted to the data owner only. [2]

Useful 0 Not Useful 0