Ryan BaumannI don't know who needs to hear this but #TruthSocial, which is running a forked version of Mastodon, does not from the source code appear to have appropriate mitigations in place for CVE-2023-36460, which theoretically allows attackers to create and overwrite any file Mastodon has access to, allowing Denial of Service and arbitrary Remote Code Execution https://nvd.nist.gov/vuln/detail/CVE-2023-36460 (probably other CVE's as well, but some rely on federation which Truth Social doesn't use?) #infosec
You can find the Truth Social source code here: https://help.truthsocial.com/legal/open-source/
Here's the Mastodon commit for fixing CVE-2023-36460: https://github.com/mastodon/mastodon/commit/dc8f1fbd976ae544720a4e07120d9a91b2722440
Theoretically, anyone with internet access would have been able to put two and two together to exploit this vulnerability since its public disclosure in July of 2023. But I'm sure nobody, and certainly not state actors, would have an interest in exploiting the security of a social network owned and used by a presidential candidate (who now stands to profit billions of dollars from its sale to the public)
Here's an article from @dangoodin explaining the severity of the original CVE-2023-36460 (dubbed #TootRoot by @GossiTheDog): https://arstechnica.com/security/2023/07/mastodon-fixes-critical-tootroot-vulnerability-allowing-node-hijacking/
The idea that Truth Social might not have a clue about security is disclosed as a risk in their IPO filings. But I feel the public, who Trump is trying to offload this stock to, should be better informed that this risk already seems to be realized ahead of tomorrow’s potential IPO.
If you’re concerned about responsible disclosure, the responsible disclosure already happened back in July. Truth Social knows they’re running Mastodon, and aren’t keeping up with security disclosures that affect them.
FWIW, according to this post from @virtuallaughing, Truth Social no longer runs on Mastodon, but runs on Pleroma instead. I’m just going off of publicly available information, but that would also now mean they’re violating Pleroma’s AGPL license, which frankly may be just as bad for a tech company going public https://ieji.de/@virtuallaughing/112150957756380001
🏴☠️🏳️🌈🏳️⚧️🇵🇸 (@[email protected])
@[email protected] I'm sorry to burst anyone's bubble, but this is not the case. Contrary to popular belief and media reports, Truth Social does not actually run Mastodon. It's based on Pleroma and Alex Gleason's soapbox-fe. The origin of the open-source release was that before Truth Social even went live, they had a bunch of pre-production test instances people were able to find and spam with pigpoopballs.jpg (leading to the infamous Colbert segment.)
From a “securities fraud” perspective, knowingly violating software licenses to form your core product without ever disclosing it in public filings may actually be worse than a disclosed risk of security vulnerabilities. And in case it’s not entirely clear, Trump is using this IPO to try to make bond on a $454M penalty…for committing fraud https://www.nytimes.com/2024/03/22/business/trump-media-merger-truth-social.html
Had a chance to look back at the SEC filings. Pleroma is not mentioned, and they continue to state that they use Mastodon and post the source code publicly for AGPLv3 compliance:
As an update, Truth Social's posted Mastodon source code has not been updated since my initial post in this thread, and has seemingly not been updated since at least June of 2022 (compare: http://web.archive.org/web/20220614001551/https://opensource.truthsocial.com/mastodon-current.zip). So if they're still using and updating Mastodon internally, they're no longer complying with its AGPL license at that link.
Nemo_bis 🌈@ryanfb Did you tell the SEC yet? https://www.sec.gov/whistleblower/submit-a-tip
James OhDo hope @404mediaco pick this up.