Re: Protocol-level attacks?

This year saw (re-)outbreaks of a couple of classes of vulnerability 
that have affected multiple Fediverse implementations:

## Type confusion attack

- Pleroma: 
<https://git.pleroma.social/pleroma/pleroma/-/issues/1948#note_67278>
- Mastodon (CVE-2024-25623): 
<https://github.com/mastodon/mastodon/security/advisories/GHSA-jhrq-qvrm-qr36>
- Misskey (CVE-2024-25636): 
<https://github.com/misskey-dev/misskey/security/advisories/GHSA-qqrm-9grj-6v32>

In addition to the impersonation and account takeover attacks described 
in the linked advisories, this allows potentially malicious 
user-uploaded Activity Streams documents on arbitrary HTTP servers like 
GitHub to be accepted by ActivityPub servers.

Although the ActivityPub spec's recommendation against this class of 
attack hasn't been published yet 
(<https://github.com/w3c/activitypub/issues/432>), the current common 
practice is to check the `Content-Type` of remote documents.

## Spoofing attack against Linked Data Signatures

- Mastodon (CVE-2022-24307): 
<https://nvd.nist.gov/vuln/detail/CVE-2022-24307>
- Misskey (CVE-2024-32983): 
<https://github.com/misskey-dev/misskey/security/advisories/GHSA-2vxv-pv3m-3wvj>
- PeerTube: 
<https://github.com/Chocobozzz/PeerTube/commit/b8635c260694fe9207a2db2be25135dcfada67f3>

See <https://github.com/mastodon/mastodon/pull/17733> for Mastodon's 
test case. The current practice is to apply the JSON-LD compaction 
algorithm to incoming signed activities.

Also, I have a PoC for Misskey's CVE-2024-32983, but I haven't disclosed 
it yet. I've been considering disclosing it soon-ish, as it's been more 
than a month since the patch was released.

That said, I'd argue that new Fediverse implementations shouldn't 
implement Linked Data Signatures, since it's an old spec superseded by 
Verifiable Credentials Data Integrity. Though, the old spec is still 
useful for compatibility with Mastodon today.

On 2024/07/06 8:38, Johannes Ernst wrote:
> Is anybody aware of any protocol-level attacks against ActivityPub 
> and/or the rest of the protocol stack constituting the fediverse?
>
> If you were to be on team red, how would you go about it?
>
> While I don’t want to create more work for ourselves :-) I am 
> wondering from the FediTest.org <http://FediTest.org> perspective: is 
> there something we should be testing to assess “resilience against 
> attack”?
>
> Brainstorm ideas welcome.
>
> Cheers,
>
>
>
> Johannes.
>
>
>
> Johannes Ernst
>
> Fediforum <https://fediforum.org/>
> Dazzle Labs <https://dazzlelabs.net/>
>
>

-- 
Daiki "tesaguri" Mizukami
<mailto:tesaguriguma@gmail.com>
Fediverse: @tesaguri@fedibird.com <https://fedibird.com/@tesaguri>
Matrix: @tesaguri:matrix.org <https://matrix.to/#/@tesaguri:matrix.org>
GitHub: <https://github.com/tesaguri>
Keybase: <https://keybase.io/tesaguri>
OpenPGP: <openpgp4fpr:293ada14a1cb0b1c2313310110478e598b944aa2>