Adam Chester 

Bit of fun this weekend by looking at how Mastodon actually works under the hood. The "federation" part is really interesting, but also highlights how other servers may not be trusted.

Take for example this user (should be cached on infosec.exchange):

@fakexpn

If you click on the user via the web interface, you'll see that the account has insta-influencer status, without all the shit-posting and self-meme'ing..

This is of course is all by design, as part of ActivityPub. When we reference another account on another server, the "federation" part of the protocol kicks in and requests information on the account. This means that on the server we control, we can set as many followers as we want (as well as post count and basically anything else we want) by returning a "totalItems" value of 99999999 in the followers ActivitySteam JSON.

tl;dr, Factor in trust of servers when using Mastodon (and stop using follow count as a metric!)

Nov 19, 2022 at 5:00pmWeb
Show threadLee Holmes Nov 19, 2022
@xpn @fakexpn If you really want to be an influencer, have -1 followers!
Show threadDJDavid98Nov 19, 2022
@xpn @fakexpn As much as I hate the term "blockchain" it might actually be a viable use case to prevent this kind of issue. It's being used to con people out of their life savings instead
Show threadJann HornNov 19, 2022
@xpn can't you also create a bunch of follows on an account on a normal instance from a ton of fake accounts you created on your own instance unless the server with your account has explicitly decided to defederate with the attacker instance?
Show threadNatanael ⚠️Nov 19, 2022
@jann @xpn it's called a sybil attack, and that definitely works
Show threadHypersensory Space ButtNov 19, 2022
@xpn i got excited thinking you were my favorite radio station wxpn...
Show threadjoy larkin 🌺✨Nov 19, 2022
@djspacebunny @xpn For a second there, I also thought the writeup was about the radio station.
Show threadHypersensory Space ButtNov 19, 2022
@joy @xpn i am trying to convince xpn fam to come over here!
Show threadAdam Chester Nov 19, 2022
@joy @djspacebunny too many XPNs 😂
Show threadHypersensory Space ButtNov 19, 2022
@xpn @joy how'd you get the blue checkmark thing to work? i'm verified on twitter but still trying to figure out things here. i donated to @jerry too and would like to show i contributed toward the greater good of this instance <3
Show threadAdam Chester Nov 19, 2022
@djspacebunny @joy @jerry Just add : verified : after your name (without spaces)
Show threadEnguerran/Daniel PetitfilsNov 19, 2022
@xpn
I would guess a reputation system like on mail servers will slowly be put in place
@fakexpn @laomaiweng
Show threadTheZeroNov 19, 2022
@xpn @fakexpn@xpn-mastodon.ngrok.io there are instances that anonymize follower/following count in this way. For example @admin and every account over there default to 42.
Show threadWater, water every where 🇺🇦Nov 19, 2022

@xpn @fakexpn

Interesting! I’m exploring mastodon as another case of #twittermigration, I’d been wondering about trust & verification mechanisms between servers.

Seems to me the challenges are pretty close to email infrastructure.

Is there anything in the calls that would let the requestor check if the user/server had been DNS verified?

Show threadPJ Perez Nov 19, 2022
@Noranydroptodrink @xpn @fakexpn what do you mean by DNS verified in this case?
Show threadWater, water every where 🇺🇦Nov 19, 2022

@pjperez @xpn @fakexpn

Ah, sorry I just rechecked and RTFM - it’s a html link, not DNS.

https://docs.joinmastodon.org/user/profile/

Setting up your profile - Mastodon documentation

Get started with your new account.

Show threaddefaultvlan Nov 19, 2022
@xpn   nobody is going to believe that I have 99,999,999 toots when I hit it next year
Show threadJippi 🇩🇰Nov 19, 2022
@xpn it's interesting that the Glitch fork does highlight the URL as fake :)
Show threadDarnell Clayton Nov 20, 2022
@xpn @fakexpn Oh wow! That is an interesting hack.
Show threadRussNov 20, 2022

@xpn

For verified profile links (rel="me"), do you happen to know if the verification is by the instance the user belongs to or the instance I'm viewing their profile on?

Context: https://mstdn.social/@lambda@meow.social/109375728649830242

Lambda (@lambda@meow.social)

@theruss@mstdn.social does link verification happen only on the user's instance, or do other instances re-verify the links? In other words, can a bad actor simply set up their own instance that shows arbitrary links as verified for everyone?

meow.social - the mastodon instances for creatures
Show threadAdam Chester Nov 20, 2022
@theruss It's the instance that the account is on, so for me, it's https://infosec.exchange/@xpn. That is just for verifying my blog, if you are on about the tick after my profile name, just add : verified : (no spaces) in your name ;)
Adam Chester :verified: (@xpn@infosec.exchange)

40 Posts, 58 Following, 790 Followers ·

Infosec Exchange
Show threadRussNov 21, 2022

@xpn Based on how many people boosted this post...

https://mstdn.social/@theruss/109373419496754729

It seems I have volunteered myself to be the patron saint of link verification.

I may try to come up with some proposals to work around "a malicious server is lying about verified links for a profile it hosts"...

Russ (@theruss@mstdn.social)

I have a request. Bad actors will soon figure out - if they haven't already - that setting up impersonations of important organizations now will allow them to set off an explosion of chaos and confusion at a time of their choosing. So if you run an account for an organization (especially #LGBTQ), please set up link verification between your Mastodon account profile and your organization's website. If not, please boost. Instructions are here under "Link Verification": https://docs.joinmastodon.org/user/profile/

Mastodon 🐘
Show thread    Nov 20, 2022
@xpn @fakexpn@xpn-mastodon.ngrok.io it's time to run a bug hunting session.
Show threadAriadne Conill 🐰Nov 20, 2022
@xpn @abc “bug” hunting. the protocol works as it was designed. email level security means email level security, damn it.
Show threadRiley S. FaelanNov 20, 2022
@ariadne @xpn @abc: "Email level confidentiality" has become pretty vague, nowadays that, under certain circumstances, some or all legs of the transport may actually be strongly encrypted.
Show threadNicolás AlvarezNov 20, 2022
@riley @ariadne @xpn @abc all of this is going over TLS so yes the transport is strongly encrypted too. But it doesn't seem relevant to the original post?
Show threadAdam Chester Nov 20, 2022
@ariadne @nicolas17 @abc @riley The tl;dr of the original post is the main takeaway, federated servers can be untrustworthy and this needs to be factored in to decisions of if an account is also trustworthy. The follower count, account created date, post count etc is all taken from the target server. It’s a guess, but most likely an influx of likes/boosts from a rogue server could also be possible, but I’ve not looked at that or what happens if the server/account is blocked.
This differs from the existing Twitter model which is what people are surprised at (and tbh, is why I looked in the first place, trying to understand the protocol before committing to the platform and understanding what it means to have an account on another server to my peers). You see “Followers”, and you relate this to Twitter world… but this isn’t the case.
Show threadNicolás AlvarezNov 20, 2022
@xpn @ariadne @abc @riley Yeah I get that, but confidentiality and transport encryption have nothing to do with that, do they?
Show threadAriadne Conill 🐰Nov 20, 2022

@fakexpn @xpn

other servers (Pleroma) display the known connection count instead, for the reason that you describe.

anyway this is all quite boring, you can push different versions of a message with the same ID to different AP servers and Mastodon will just accept it as long as the request is signed.

litepub moved a lot of this to pointers for a reason. mastodon can speak litepub if authorized fetch mode is enabled, but even in hardened mode it still trusts things that the litepub community explicitly defined as untrustworthy

Show threadio+Nov 20, 2022
@ariadne @fakexpn @xpn what do follower counts look like with pointers?
Show threadAriadne Conill 🐰Nov 20, 2022
@fakexpn @io @xpn pointers are not relevant to follower counts, you either trust the remote collection stats or you don’t. there is no requirement in any spec for totalItems to actually be the total items in the collection anyway, it’s meant to be a hint for how much capacity to reserve for the collection items.
Show threadAriadne Conill 🐰Nov 20, 2022
@fakexpn @io @xpn you can even have collections which do not provide totalItems count at all.
Show threadFelix EckhardtNov 20, 2022

@xpn @fakexpn

Interesting. Thanks for sharing.

Show threadeviloatmealNov 20, 2022
@xpn What would follow count even be a metric of...?
Show threadAdam Chester Nov 22, 2022
@eviloatmeal insecurity?