Mastodon Open Redirect Vulnerability in Web Route Allowing Phishing and OAuth Credential Theft
Vulnerability
An unauthenticated open redirect vulnerability has been identified in Mastodon versions prior to 4.5.8, 4.4.15, and 4.3.21. The issue arises in the '/web/*' route, where improper handling of URL-encoded path segments allows attackers to craft URLs that redirect users to arbitrary external domains. This vulnerability can be exploited to conduct phishing attacks and steal OAuth credentials. The problem occurs because URL-encoded slashes bypass Rails path normalization, leading to host-relative redirects.
Impact
Exploitation of this vulnerability allows for unauthenticated open redirects, which can be used to perform phishing attacks, harvest credentials through fake login pages, intercept OAuth authorization codes when combined with login flows, and abuse the trust associated with legitimate instance domains.
Remediation
Users can update to Mastodon versions 4.5.8, 4.4.15, or 4.3.21 to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.