The Federal Information Security Office (BSI), together with the Munich company MGM Security Partners, examined the source code of the messenger service Matrix and the social media application Mastodon. As part of the Code Analysis Project of Open Source Software (CAOS 2.0), experts checked the services for potential flaws and found them. According to the analyzes carried out in the autumn of 2023, Mastodon version 4.1.6 contained two security vulnerabilities classified as high risk, with which an attacker could compromise users and the application in particular. The BSI immediately informed the relevant developers about these critical vulnerabilities. Programmers have analyzed the vulnerabilities and have already responded.
Advertisement
according to that Earnings report on twitter alternative mastodon These are the gaps CVE-2023-46950 And CVE-2023-46951. Both cases involve cross-site scripting vulnerabilities in Contribs Sidekiq version 6.5.8 and consequently the possibility for an attacker to remotely obtain confidential information via a manipulated payload. BSI identified a “high risk potential” here.
Twitter rival Bluesky benefits from X ban in BrazilThe researchers found another gap in the avoidable throughput rate limit (rate limit). According to the study, its severity is increased by the fact that the application allows the use of trivial passwords and unlimited enumeration of valid usernames. The application is still being investigated for a vulnerability number. Mastodon also uses 22 dependencies on other open source code with known vulnerabilities that are classified as critical or high. Other, significantly less security-critical anomalies include excessively long session validity, limited options for the administrator to inject arbitrary CSS into the application, and unnecessary storage of sensitive data in the cache.
Poor security of files uploaded to Matrix
Auditors cast their eyes on decentralized messenger server Matrix Synapse According to the second test “Some low-level vulnerabilities.” Among other things, they were able to determine that a session was valid for too long. In addition, uploaded files that were not end-to-end encrypted could be downloaded without authentication by anyone knowing the upload ID. Normally privileged users were also allowed to complete surveys created by other users. Last but not least, the researchers found a workaround for the vulnerability CVE-2023-32683,
Experts discovered a security vulnerability classified as low in the Matrix Access Client Element. This is a response header that is not set by the server in the standard configuration and, if used correctly, can further increase the security of the application as a defensive measure. In this country, Matrix forms the basis of the Bundeswehr’s BwMessenger and a new federal messenger. The open source protocol is also the basis of a communication platform in the healthcare sector. Several dependencies containing known vulnerabilities were also revealed in Synapse and Element.
growing, disorganized code base
In both Mastodon and Matrix, the auditors were unable to find any evidence of a structured, tool-supported approach to regularly identifying and fixing vulnerabilities. The relatively large amount of code duplication through copy-and-paste also indicated that the projects sometimes developed haphazardly and were disorganized. Therefore in both cases, the experts recommend manual or automated structural improvement of the source code (refactoring) to ensure general extensibility and, in particular, effective management of vulnerabilities in the future.
The collaboration project has been running since 2021. It aims to investigate the security of popular open source software and support responsible teams in writing secure code. The focus of the investigation is on “applications that are increasingly being used by authorities or private users”. Manufacturers inform developers of any widespread vulnerabilities already discovered using the responsible disclosure process. As part of the initiative, BSI and MGM have already investigated the video conferencing tools Jitsi and BigBlueButton. Further code analysis is planned as Caos 3.0.
(US)
Ban on mobile phones begins in Dutch schools
