Summary
In the web interface, clicking on the result returned by a search for a username could have lead to a different profile instead.
Details
Clicking on a username in search results could have lead to a different profile, if all of the following conditions were met:
- The usernames were identical
- The server name of one user started with the server name of the other user and
- Account data was loaded in a certain order.
Example: Given a user @user@instance.com and a user @user@instance.com.example.com, if the app loaded and cached the latter user's data first and someone searched for "user" then both users would have been displayed correctly, but both would have linked to the profile of @user@instance.com.example.com.
Impact
Carefully crafted fake accounts could have impersonated other accounts if a user clicked on corrupted search results.
The impact is limited by the fact that this was never in a stable release. But we urge everyone who has installed nightly builds or beta 1 of Mastodon 4.3. to update to beta 2.
Summary
In the web interface, clicking on the result returned by a search for a username could have lead to a different profile instead.
Details
Clicking on a username in search results could have lead to a different profile, if all of the following conditions were met:
Example: Given a user
@user@instance.comand a user@user@instance.com.example.com, if the app loaded and cached the latter user's data first and someone searched for "user" then both users would have been displayed correctly, but both would have linked to the profile of@user@instance.com.example.com.Impact
Carefully crafted fake accounts could have impersonated other accounts if a user clicked on corrupted search results.
The impact is limited by the fact that this was never in a stable release. But we urge everyone who has installed nightly builds or beta 1 of Mastodon 4.3. to update to beta 2.