James-PE (Starnix) on Nostr: It was recently discovered that pleroma is susceptible to a type of XSS like attack ...
It was recently discovered that pleroma is susceptible to a type of XSS like attack (but not exactly an XSS) using certain file extensions to obfuscate the extraction of a user's Ostatus token. This type of attack appears to only be affecting servers that cache media from remote servers using the remoteproxy functionality in pleroma.
Content Security Policy headers do not appear to have been sent to apply to both local as well as cache media, only local appears to have protection. As we only use remote fetch and do not cache any media that is remote on this server, and upon my own investigation I do not have any evidence of the files and scripts that appear to be responsible to for the server leaks of poast and baest federated on this server.
However in an overabundance of caution I have made several security restrictions to nginx, the administrations of pl,mstdn,mk, to hopefully combat the recent attacks on fediverse instances as of recent.
The rest is going to have to be up to you guys to actually do your due diligence and not click on anything that looks suspicious, that should go without saying but I have a feeling that a little bit of social engineering was used in the recent attack.
1. Don't click links in unsolicited DMs
2. DO NOT click attachments on pleromaFE that look like this https://pl.starnix.network/notice/AW2mnx8RhGoIGZm2eO
3. DO NOT put any personal identifiable information in pleroma/misskey/mastodon ANY fediverse DMs, these messages are not encrypted, I can read them and so can the hacker that BTFO of the server with an unknown zero day.
The rest is optional but it would be good practice, you can sign out and back into your pleroma account and that will reset your ostatus token again I don't think our server got leaked and none of your accounts are the target they are after the fediverse admins.
Published at 5/26/2023 #starnix
Content Security Policy headers do not appear to have been sent to apply to both local as well as cache media, only local appears to have protection. As we only use remote fetch and do not cache any media that is remote on this server, and upon my own investigation I do not have any evidence of the files and scripts that appear to be responsible to for the server leaks of poast and baest federated on this server.
However in an overabundance of caution I have made several security restrictions to nginx, the administrations of pl,mstdn,mk, to hopefully combat the recent attacks on fediverse instances as of recent.
The rest is going to have to be up to you guys to actually do your due diligence and not click on anything that looks suspicious, that should go without saying but I have a feeling that a little bit of social engineering was used in the recent attack.
1. Don't click links in unsolicited DMs
2. DO NOT click attachments on pleromaFE that look like this https://pl.starnix.network/notice/AW2mnx8RhGoIGZm2eO
3. DO NOT put any personal identifiable information in pleroma/misskey/mastodon ANY fediverse DMs, these messages are not encrypted, I can read them and so can the hacker that BTFO of the server with an unknown zero day.
The rest is optional but it would be good practice, you can sign out and back into your pleroma account and that will reset your ostatus token again I don't think our server got leaked and none of your accounts are the target they are after the fediverse admins.
Published at 5/26/2023 #starnix