Crossposted from https://gehirneimer.de/m/updates@kbin.melroy.org/t/766866/Mbin-security-disclosure
As most of the servers listed on the fediverse.observer and fedidb are not at v1.8.3 anymore, we need to talk about the security patch we released as part of v1.8.4. We have tried to get in touch with the remaining instance admins and gave them a week to update their instances.
In v1.8.3 a bug was introduced that caused a significant information leak on the user outbox endpoint, reachable through https://mbin.instance/u/username/outbox. This endpoint contains all public activities of a user. On servers running v1.8.3. this endpoint did not return JSON in an ActivityPub compatible format, but just serialized data. This serialized data contained nearly every bit of data Mbin has about a user: the IP, the email address, the private key to sign activities from this user, securely hashed passwords, 2FA secret and backup codes, etc. We think it is unlikely that someone made use of this, as this endpoint is not commonly used. Other ActivityPub software of course uses this endpoint to fetch data, but if that data is not in a compatible format it just ignores it.
We are very sorry about this and honestly very frustrated that it slipped by.
What can users do
The only thing you can really do is to change your password and two factor authentication (disable and re-enable it).
What can admins do
You could check your access logs for any requests on this endpoint not coming from a known fediverse software to research your instance specific instance.
What did we do / What are we going to do
To prevent this from happening again we introduced automated tests on that endpoint and will do so on similar new endpoints (like a magazine outbox) in the future.
We will also add a new command next release to generate new private keys for all users to prevent impersonation. However that might cause rejected activities for up to 24 hours. Every software we checked updates remote users at least every 24 hours including re-fetching the private key.
Technical explanation for those interested
With v1.8.3 we refactored a lot of the ActivityPub code. The reason we did that was simply because we did not safe any outgoing activities, as in: we did not record what we sent out to other servers. Since v1.8.3 other servers can actually query the URLs we sent them.
Behind the scenes that means that we are now saving something to the database that we previously didn’t do. In the process of this all and classes now return an Activity object instead of an associative array. Because the user outbox endpoint was forgotten, that just returned an array of these Activity objects that were then serialized, instead of the correct way introduced with v1.8.3, which is to call ActivityJsonBuilder::buildActivityJson.
For kbin.earth users:
I upgraded to v1.8.4 (the safe version) immediately once I saw the private message from the Mbin devs, so hopefully we weren’t exposed for too long. There are no known users of that endpoint, so we are not even sure if data was leaked or not.
Either way, to stay on the safe side, it’s recommended that you reset your password and reset your 2FA (disable and then re-enable it).
Thanks jwr. As always, wonderful that you are so on top of things.
Question - is there a non-techy way to check the version of a given instance? Asking because I have an account on another instance.
You can always either look at the instance’s sidebar, and it will list the version next to “Powered by Mbin”, or if you want to see a full list of servers, you could go to https://joinmbin.org/servers/.
Thank you for letting us know and addressing it
@jwr1 is 100% legit a great admin and also very kind and generous. Thanks so much for all you do for your users.
I also want to thank @BlueKey@fedia.io for discovering the bug and reporting the bug to me. This is how this security issue was quickly found and fixed.
It was a pleasure to work with you and @BentiGorlich@gehirneimer.de on discussing the finding and finding possible mitigations for the issue.
Mbin has a great team of devs and also server admins.
Thanks for the heads up!
deleted by creator
Actually, for the most part, kbin.earth does stay on the stable Mbin releases. There are some servers that are bleeding edge and are updated to the latest GitHub commit, such as kbin.melroy.org, but kbin.earth isn’t one of those. There are some specific times that I’ve updated to the latest commit, but that doesn’t happen often.
Oh I see, then I must have only seen the times where you did. Thanks for pointing that out. I’ll delete the original comment since it’s not relevant then.
v1.8.3 was just the official stable version, @jwr1@kbin.earth was doing everything according to the book. He didn’t do anything wrong, nor was running bleeding edge like the main branch.
