Mastodon: Mass remote follow being used as attack vector

Created on 19 Jul 2019  ·  3Comments  ·  Source: tootsuite/mastodon

maliciousintent

The command being used is:
remote_follow_DOS

(Screenshot taken from the attacker's feed; I haven't personally tried it :) )

Presumably the initial intent was just to artificially inflate follower numbers for specific accounts, but since posting this has been actively used against several servers.

Unclear whether simply suspending the remote server is sufficient to prevent impact as the admin interface states "The domain block will not prevent creation of account entries in the database" or whether firewall rules must also be employed.

picture fsnk
👍10

Most helpful comment

the feature itself is useful, but I think it should probably be scoped to local accounts only ;)

picture kaniini on 19 Jul 2019
👍11 🚀31

All 3 comments

The attacker seems to be using the following commands:

RAILS_ENV=production bin/tootctl accounts follow [email protected]
RAILS_ENV=production bin/tootctl accounts create name --email [email protected] --condirmed
mason1900 picture mason1900 on 19 Jul 2019
👍5

the feature itself is useful, but I think it should probably be scoped to local accounts only ;)

kaniini picture kaniini on 19 Jul 2019
👍11 🚀31

https://FreeFediFollowers.ga/ is actively exploiting this in the wild. I recommend fellow fediverse nodes add a domain block for them.

p.s. Adding a domain suspension (also enabling both block options under silence prior to selecting suspend in the moderation panel) will kick off sidekiq jobs and slowly remove all follows from all accounts. 😀

rlywtf picture rlywtf on 7 Aug 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Thann picture Thann  ·  63Comments
ghost picture ghost  ·  54Comments
alex73630 picture alex73630  ·  56Comments
nclm picture nclm  ·  187Comments
inmysocks picture inmysocks  ·  128Comments