mastodon.world is one of the many independent Mastodon servers you can use to participate in the fediverse.
Generic Mastodon server for anyone to use.

Server stats:

8.3K
active users

#AccountSecurity

1 post1 participant0 posts today

It's somewhat disheartening to see how many websites still have issues with complex passwords, impose ridiculous limits on password lengths, and/or the passwords containing "special characters"! 😑

I use password.oppetmoln.se for almost all my "random password" needs, set the length to at least 64 characters, and then let a password manager handle the rest.

👇

POMjsPOMjs - Random Password GeneratorPlain vanilla javascript random password generator

🚨 Mastodon Vulnerability Patched! CVE-2024-25618 🛡️

A security flaw - CVE-2024-25618 - was fixed, in Mastodon's software to prevent potential account takeovers. This vulnerability allowed attackers to bypass authentication mechanisms via a crafted request, posing a significant risk to the platform's integrity.

It enabled new logins from certain authentication providers (like CAS, SAML, OIDC) to merge with existing local accounts sharing the same email. This could lead to someone taking over your account if the provider allows changing emails or if there are multiple providers set up.

Here's how it works: When someone logs in using an external provider for the first time, Mastodon checks for an existing account with the same email. However, relying only on the email could result in hijacking your Mastodon account if the provider allows changing it. The Mastodon team swiftly deployed a patch, reinforcing the security of user accounts and the broader ecosystem. Remember, keeping software up-to-date is crucial for safeguarding against such vulnerabilities. 🔄🔐

The commit "b31af34c9716338e4a32a62cc812d1ca59e88d15" signifies this update. For further details, check out their advisory.

A big thanks to the discoverers Dominik George and Pingu from Teckids, and the Mastodon team for their rapid response in improving our digital defenses. Stay secure, everyone! ✨🐘

Tags: #CVE2024_25618 #Mastodon #Cybersecurity #PatchUpdate #AccountSecurity #AuthenticationBypass #DigitalDefense #CommunityVigilance 🌍🔒

MITRE CVE-2024-25618 Summary

GitHubExternal OpenID Connect Account Takeover by E-Mail Change### Summary Mastodon allows new identities from configured authentication providers (CAS, SAML, OIDC) to attach to existing local users with the same e-mail address. This results in a possible a...