Ryan BaumannI don't know who needs to hear this but #TruthSocial, which is running a forked version of Mastodon, does not from the source code appear to have appropriate mitigations in place for CVE-2023-36460, which theoretically allows attackers to create and overwrite any file Mastodon has access to, allowing Denial of Service and arbitrary Remote Code Execution https://nvd.nist.gov/vuln/detail/CVE-2023-36460 (probably other CVE's as well, but some rely on federation which Truth Social doesn't use?) #infosec
You can find the Truth Social source code here: https://help.truthsocial.com/legal/open-source/
Here's the Mastodon commit for fixing CVE-2023-36460: https://github.com/mastodon/mastodon/commit/dc8f1fbd976ae544720a4e07120d9a91b2722440
Theoretically, anyone with internet access would have been able to put two and two together to exploit this vulnerability since its public disclosure in July of 2023. But I'm sure nobody, and certainly not state actors, would have an interest in exploiting the security of a social network owned and used by a presidential candidate (who now stands to profit billions of dollars from its sale to the public)
Here's an article from @dangoodin explaining the severity of the original CVE-2023-36460 (dubbed #TootRoot by @GossiTheDog): https://arstechnica.com/security/2023/07/mastodon-fixes-critical-tootroot-vulnerability-allowing-node-hijacking/
The idea that Truth Social might not have a clue about security is disclosed as a risk in their IPO filings. But I feel the public, who Trump is trying to offload this stock to, should be better informed that this risk already seems to be realized ahead of tomorrow’s potential IPO.
If you’re concerned about responsible disclosure, the responsible disclosure already happened back in July. Truth Social knows they’re running Mastodon, and aren’t keeping up with security disclosures that affect them.
FWIW, according to this post from @virtuallaughing, Truth Social no longer runs on Mastodon, but runs on Pleroma instead. I’m just going off of publicly available information, but that would also now mean they’re violating Pleroma’s AGPL license, which frankly may be just as bad for a tech company going public https://ieji.de/@virtuallaughing/112150957756380001
🏴☠️🏳️🌈🏳️⚧️🇵🇸 (@[email protected])
@[email protected] I'm sorry to burst anyone's bubble, but this is not the case. Contrary to popular belief and media reports, Truth Social does not actually run Mastodon. It's based on Pleroma and Alex Gleason's soapbox-fe. The origin of the open-source release was that before Truth Social even went live, they had a bunch of pre-production test instances people were able to find and spam with pigpoopballs.jpg (leading to the infamous Colbert segment.)
From a “securities fraud” perspective, knowingly violating software licenses to form your core product without ever disclosing it in public filings may actually be worse than a disclosed risk of security vulnerabilities. And in case it’s not entirely clear, Trump is using this IPO to try to make bond on a $454M penalty…for committing fraud https://www.nytimes.com/2024/03/22/business/trump-media-merger-truth-social.html
Had a chance to look back at the SEC filings. Pleroma is not mentioned, and they continue to state that they use Mastodon and post the source code publicly for AGPLv3 compliance:
As an update, Truth Social's posted Mastodon source code has not been updated since my initial post in this thread, and has seemingly not been updated since at least June of 2022 (compare: http://web.archive.org/web/20220614001551/https://opensource.truthsocial.com/mastodon-current.zip). So if they're still using and updating Mastodon internally, they're no longer complying with its AGPL license at that link.
Any journalists interested in informing the public about the uncertainty and risks involved with this now publicly-traded social media corporation, feel free to reach out for inquiries! https://mastodon.social/@gbhnews/112162105752356614
Also, if anyone has concrete information showing that Truth Social is actually using Pleroma in production now instead of Mastodon, please get in touch with [email protected] via email
I've filed a formal complaint with the SEC regarding Truth Social's potentially misleading statements to investors in public filings
Still surprising to me that nobody’s been particularly interested in the fact that this social media company, Truth Social, is built on a platform that is now either once again knowingly violating its AGPL license terms for Mastodon and lying in public filings about it, or has public security vulnerabilities you could drive a bus through https://www.businessinsider.com/trump-media-stock-price-crash-spac-djt-truth-social-2024-4
More directly, is @Gargron aware that Truth Social hit a $9B market cap last week while not having updated their posted source code since 2022?
Update! Maybe my shouting and hollering and SEC reporting accomplished something because Truth Social has now updated the Mastodon source code available on their website. Here's a diff against the previous release (new snapshot seems to be from April 1st of this year): https://gist.github.com/ryanfb/84502d3f9fde8d91fa2339124354b785
mgiraldo@ryanfb doing the lord's work 👍
stux⚡️@ryanfb Interesting..
It's indeed all from 2022 meaning that they don't comply with the licence OR that run a super old version that has security issues
Both bad..
Misty@ryanfb If nothing else, it’s still got this hanging out on there: https://web.archive.org/web/20240326222132/https://truthsocial.com/oops.gif
sleepfreeparent
Greg@ryanfb https://www.404media.co/ perhaps
@greg I've already reached out to them, The Verge, and Ars Technica, haven't seen any interest yet
Glenn Fleishman@ryanfb Is that a $474 million fine with interest?
Michael Bishop ☕@ryanfb what is the consequence for not posting changes?
@MichaelBishop ultimately refusing to could lead to a lawsuit from any copyright holder of Mastodon's source code i.e. any committer
MacCruiskeen@ryanfb Huh, an operation associated with [expletive deleted] doing something in an ethically/legally/technically dubious way, suggesting a lack of basic competence? Who woulda thunk it.
Nemo_bis 🌈@ryanfb Did you tell the SEC yet? https://www.sec.gov/whistleblower/submit-a-tip
James OhDo hope @404mediaco pick this up.