Mastodon Web Push Subscription Tampering Vulnerability
Vulnerability
A vulnerability allowing insecure direct object reference has been identified in Mastodon, a social network server based on ActivityPub. This issue affects versions prior to 4.3.18, 4.4.12, and 4.5.5. The vulnerability allows any authenticated user to update another user's web push subscription by guessing or obtaining the subscription ID. This could disrupt push notifications for the targeted user and leak the web push subscription endpoint. Users with web push subscriptions are impacted, as an authenticated user could manipulate their subscription settings if they can access the subscription ID. Exploitation could involve changing notification filters and types, thereby interfering with the user's notification experience.
Impact
Exploitation of this vulnerability allows for unauthorized modification of another user's web push subscription settings, disrupting their push notification experience. It also leaks the web push subscription endpoint, excluding the keypair.
Remediation
Users can upgrade to Mastodon versions 4.5.5, 4.4.12, or 4.3.18 to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.