Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Mastadon is a decentralized Twitter-like replacement. Instead of having a single website, there are multiple servers that are individually ran. The instances communicate via HTTP requests with a signature to provide authenticity. The public keys for users can used to easily verify a user.

The signature validation works by getting this public key then verifying that the signature matches the user and domain. The search looks for the username (@donald) and the domain (@mastadon.com) to find figure out where to query the public key from.

However, the parsing of the domain and the username is busted. When parsing the domain, all slashes are removed from it! So, the domain mastodon.so/cial would become mastodon.social when it is parsed. This allows for the spoofing of requests from arbitrary users across different servers.

To exploit this, an attacker would need access to a tld that's different than the actual domain but close to it. For instance, a user with mastodon.so could spoof into mastodon.social. They used this to send private DMs as other users, which is pretty fire. Great bug find!