The Sunny Gardener - February 2024
Mastodon Security Patches
February was a big month for Mastodon security patches.
- v4.2.5 on Feb 1 fixed the critical issue: Remote user impersonation and takeover
- v4.2.6 on Feb 14 fixed several medium to high severity vulnerabilities.
- v4.2.7 on Feb 16 fixed: Lack of media type verification of Activity Streams objects allows impersonation of remote accounts
- v4.2.8 on Feb 23 was a direct result of the spam wave mentioned below. It doesn’t add new security features to existing servers, but changes the default settings of the Mastodon server software to be less of an open door to spammers.
Spam
A spam campaign began on Feb 16 and lasted for almost a week. The spammers appeared to be a group of Japanese kids who were upset with a different group of Japanese kids on Discord, and launched the spam campaign to stir up trouble.
The campaign targetted Misskey and Mastodon servers with open registration, allowing them to use automated scripts to rapidly create new accounts with random names to spam from. Many of the affected servers were small and not being actively monitored by their admins.
The Mastodon patch v4.2.8 was a direct response to this campaign, changing the default settings for the server software to closed registrations, and additionally, will close registrations automatically if no moderators or admins have logged in during the past week. While this would have little immediate or direct effect on the current spam wave, it does support more sensible behaviour going forward.
This update changes registrations to be closed by default.
Running a social media platform where anyone can sign up without active moderation is dangerous.
In particular, even though many of the servers being exploited to send spam appear unmonitored by their owners, many of those are also running on Mastodon specific hosting services. When those services apply updates to their systems, all of the Mastodon servers they host are also automatically upgraded. So even if a server is not being maintained by it’s owner, many of them will still get automatically upgraded to this new patch by their hosting companies, which will close registrations if they are not being monitored.
After several days, the kids running the spam operation seemed to have reached a ceasefire and/or gotten tired of it. A bit more spam was observed over the next few days, but doesn’t seem to have lasted much longer, and the affected servers either shut down registrations or ended up widely blocked.
Summary
After last month’s lull in reports, it’s probably a new record number this month due to the spam. A few unfortunate accounts ended up being the ones getting all of the spam directed at them, so thanks for the patience of that handful of users and for sending in the reports so we could get the sources blocked.
There was also a noticeable jump in registrations this month, no doubt partly driven by the CEO of both Tumblr and WordPress.com having a privacy-violating transphobic meltdown on social media, as well as making deals to share user’s data with OpenAI and Midjourney.
Hosting Costs
This is the first monthly bill including the new upgraded server, and the monthly expenses will now be about $30 higher as a result.
Expand Hosting Costs
| sunny.garden | 2024-02-01 | |
|---|---|---|
| Main Server | 8-16GB-160GB | -$68 |
| Media Storage | 351GB/mo. | -$13 |
| Media Bandwidth | Free | $0 |
| Backups | 95GB/mo. | -$16 |
| Domain Name | $35/yr | -$3 |
| Email Server | -$5 | |
| Donations One-Time | $15 | |
| Donations Recurring | $54 | |
| Monthly Totals | ||
| Previous Balance | $101 | |
| Total Expenses | -$105 | |
| Total Donations | $69 | |
| Balance | $65 |
Canadian Dollars
As always, thank you to everyone that has donated on ko-fi, and to those who have recently added new contributions to support the upgraded server!
There’s no obligation or expectation that you donate in order to use the server, and I’m still able to cover any shortfall myself if needed.
– Brook