Summary
Misskey doesn't perform proper normalization on the JSON structures of incoming signed ActivityPub activity objects before processing them, allowing threat actors to spoof the contents of signed activities and impersonate the authors of the original activities.
Details
The reporter intends to keep this section undisclosed at least for 30 days after the publication of the advisory and until the remedy has been deployed widely.
PoC
The reporter intends to keep this section undisclosed at least for 30 days after the publication of the advisory and until the remedy has been deployed widely.
Impact
The vulnerability allows a threat actor to impersonate a target remote account and perform spoofed activities of any type attributed to the target account, provided that the threat actor has access to a valid Linked Data Signature by the target account.
There are a number of situations where the threat actor can obtain a valid signature by the target account, including:
- The target account sends a signed activity to another account and the recipient account's server forwards the activity to a server controlled by the threat actor according to the inbox forwarding mechanism of ActivityPub
- The target account has joined a relay to which a server controlled by the threat actor subscribes, and sends a signed activity to that relay
Timeline
| Date and time |
Event |
| 2022-02-03 |
The same kind of vulnerability in Mastodon was disclosed: CVE-2022-24307 |
| 2024-04-29Z |
PeerTube released v6.1, which fixes the same kind of vulnerability |
| 2024-04-29T14:36Z |
Iceshrimp released v2023.12.7, which fixes the same vulnerability |
| 2024-04-29T18Z |
This advisory was published |
| 2024-04-29Z |
Meisskey released v10.102.699-m544 and v11.37.1-20240430023339, which fix the same vulneravility, and published a security advisory |
| 2024-04-29Z |
Firefish released v20240430, which fixes the same vulnerability |
| 2024-05-09T20:32:38Z |
Sharkey released v2024.3.3, which fixes the same vulnerability |
tesaguri Reporter
Summary
Misskey doesn't perform proper normalization on the JSON structures of incoming signed ActivityPub activity objects before processing them, allowing threat actors to spoof the contents of signed activities and impersonate the authors of the original activities.
Details
The reporter intends to keep this section undisclosed at least for 30 days after the publication of the advisory and until the remedy has been deployed widely.
PoC
The reporter intends to keep this section undisclosed at least for 30 days after the publication of the advisory and until the remedy has been deployed widely.
Impact
The vulnerability allows a threat actor to impersonate a target remote account and perform spoofed activities of any type attributed to the target account, provided that the threat actor has access to a valid Linked Data Signature by the target account.
There are a number of situations where the threat actor can obtain a valid signature by the target account, including:
Timeline