this post was submitted on 29 Sep 2025
29 points (93.9% liked)

kbin.earth meta

0 readers
5 users here now

A magazine dedicated to the kbin.earth Mbin instance. Official announcements and maintenance updates are made here, but also feel free to ask questions or request support.

If you'd like, you can also join the kbin.earth Matrix chat for real-time discussion of support, moderation decisions, or just general chatting.

founded 2 years ago
MODERATORS
jwr1@kbin.earth
29
Mbin security disclosure (kbin.earth)
submitted 1 month ago by jwr1@kbin.earth to c/kbinEarth@kbin.earth
11 comments fedilink hide all child comments
 

Crossposted from https://gehirneimer.de/m/updates@kbin.melroy.org/t/766866/Mbin-security-disclosure

As most of the servers listed on the fediverse.observer and fedidb are not at v1.8.3 anymore, we need to talk about the security patch we released as part of v1.8.4. We have tried to get in touch with the remaining instance admins and gave them a week to update their instances.

In v1.8.3 a bug was introduced that caused a significant information leak on the user outbox endpoint, reachable through https://mbin.instance/u/username/outbox. This endpoint contains all public activities of a user. On servers running v1.8.3. this endpoint did not return JSON in an ActivityPub compatible format, but just serialized data. This serialized data contained nearly every bit of data Mbin has about a user: the IP, the email address, the private key to sign activities from this user, securely hashed passwords, 2FA secret and backup codes, etc. We think it is unlikely that someone made use of this, as this endpoint is not commonly used. Other ActivityPub software of course uses this endpoint to fetch data, but if that data is not in a compatible format it just ignores it.

We are very sorry about this and honestly very frustrated that it slipped by.

What can users do

The only thing you can really do is to change your password and two factor authentication (disable and re-enable it).

What can admins do

You could check your access logs for any requests on this endpoint not coming from a known fediverse software to research your instance specific instance.

What did we do / What are we going to do

To prevent this from happening again we introduced automated tests on that endpoint and will do so on similar new endpoints (like a magazine outbox) in the future.

We will also add a new command next release to generate new private keys for all users to prevent impersonation. However that might cause rejected activities for up to 24 hours. Every software we checked updates remote users at least every 24 hours including re-fetching the private key.

Technical explanation for those interestedWith v1.8.3 we refactored a lot of the ActivityPub code. The reason we did that was simply because we did not safe any outgoing activities, as in: we did not record what we sent out to other servers. Since v1.8.3 other servers can actually query the URLs we sent them.
Behind the scenes that means that we are now saving something to the database that we previously didn't do. In the process of this all *Factory and *Wrapper classes now return an Activity object instead of an associative array. Because the user outbox endpoint was forgotten, that just returned an array of these Activity objects that were then serialized, instead of the correct way introduced with v1.8.3, which is to call ActivityJsonBuilder::buildActivityJson.

you are viewing a single comment's thread
view the rest of the comments
[โ€“] melroy@kbin.melroy.org 5 points 1 month ago (1 children)

I also want to thank @BlueKey@fedia.io for discovering the bug and reporting the bug to me. This is how this security issue was quickly found and fixed.

[โ€“] BlueKey@fedia.io 4 points 1 month ago

It was a pleasure to work with you and @BentiGorlich@gehirneimer.de on discussing the finding and finding possible mitigations for the issue.

Mbin has a great team of devs and also server admins.