{"id":1131309,"date":"2024-02-03T09:39:29","date_gmt":"2024-02-03T11:39:29","guid":{"rendered":"https:\/\/teknomers.com\/fr\/la-vulnerabilite-mastodon-permet-aux-pirates-de-detourner-nimporte-quel-compte-decentralise\/"},"modified":"2024-02-03T09:39:33","modified_gmt":"2024-02-03T11:39:33","slug":"la-vulnerabilite-mastodon-permet-aux-pirates-de-detourner-nimporte-quel-compte-decentralise","status":"publish","type":"post","link":"https:\/\/teknomers.com\/fr\/la-vulnerabilite-mastodon-permet-aux-pirates-de-detourner-nimporte-quel-compte-decentralise\/","title":{"rendered":"La vuln\u00e9rabilit\u00e9 Mastodon permet aux pirates de d\u00e9tourner n&#8217;importe quel compte d\u00e9centralis\u00e9"},"content":{"rendered":"<p> <br \/>\n<\/p>\n<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">03 f\u00e9vrier 2024<\/span><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">R\u00e9daction<\/span><\/span><span class=\"p-tags\">Vuln\u00e9rabilit\u00e9 \/ M\u00e9dias Sociaux<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a rel=\"nofollow\" href=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2024\/02\/La-vulnerabilite-Mastodon-permet-aux-pirates-de-detourner-nimporte-quel.jpg\" style=\"clear: left; display: block; float: left; text-align: center;\"><\/a><\/div>\n<p>Le r\u00e9seau social d\u00e9centralis\u00e9 Mastodon a r\u00e9v\u00e9l\u00e9 une faille de s\u00e9curit\u00e9 critique qui permet \u00e0 des acteurs malveillants de usurper l&#8217;identit\u00e9 et de prendre le contr\u00f4le de n&#8217;importe quel compte.<\/p>\n<p>&#8220;En raison d&#8217;une validation d&#8217;origine insuffisante dans tous les Mastodon, les attaquants peuvent usurper l&#8217;identit\u00e9 et prendre le contr\u00f4le de n&#8217;importe quel compte distant&#8221;, ont d\u00e9clar\u00e9 les responsables dans un avis laconique.<\/p>\n<p>La vuln\u00e9rabilit\u00e9, suivie comme <a rel=\"nofollow noopener\" href=\"https:\/\/github.com\/mastodon\/mastodon\/security\/advisories\/GHSA-3fjr-858r-92rw\" target=\"_blank\"><strong>CVE-2024-23832<\/strong><\/a>a un indice de gravit\u00e9 de 9,4 sur un maximum de 10. Chercheur en s\u00e9curit\u00e9 <a rel=\"nofollow noopener\" href=\"https:\/\/github.com\/arcanicanis\" target=\"_blank\">arcanicanis<\/a> a \u00e9t\u00e9 cr\u00e9dit\u00e9 de sa d\u00e9couverte et de son rapport.<\/p>\n<p>Cela a \u00e9t\u00e9 d\u00e9crit comme une &#8220;erreur de validation d&#8217;origine&#8221; (<a rel=\"nofollow noopener\" href=\"https:\/\/cwe.mitre.org\/data\/definitions\/346.html\" target=\"_blank\">CWE-346<\/a>), qui peut g\u00e9n\u00e9ralement permettre \u00e0 un attaquant \u00ab d&#8217;acc\u00e9der \u00e0 toute fonctionnalit\u00e9 accessible par inadvertance \u00e0 la source \u00bb.<\/p>\n<p>Chaque version de Mastodon ant\u00e9rieure \u00e0 3.5.17 est vuln\u00e9rable, tout comme les versions 4.0.x ant\u00e9rieures \u00e0 4.0.13, les versions 4.1.x ant\u00e9rieures \u00e0 4.1.13 et les versions 4.2.x ant\u00e9rieures \u00e0 4.2.5.<\/p>\n<p>Mastodon a d\u00e9clar\u00e9 qu&#8217;il retiendrait les d\u00e9tails techniques suppl\u00e9mentaires sur la faille jusqu&#8217;au 15 f\u00e9vrier 2024, afin de donner <a rel=\"nofollow noopener\" href=\"https:\/\/docs.joinmastodon.org\/admin\/\" target=\"_blank\">administrateurs<\/a> suffisamment de temps pour mettre \u00e0 jour les instances du serveur et \u00e9viter tout risque d\u2019exploitation.<\/p>\n<div class=\"check_two clear babsi\"><center class=\"cf\"><a rel=\"nofollow noopener\" href=\"https:\/\/thn.news\/tl_d1\" target=\"_blank\" title=\"Cybersecurity\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"La cyber-s\u00e9curit\u00e9\" src=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2024\/01\/Les-attaques-DDoS-contre-le-secteur-des-services-environnementaux-augmentent.gif\" width=\"727\" height=\"90\"\/><\/a><\/center><\/div>\n<p>&#8220;N&#8217;importe quelle quantit\u00e9 de d\u00e9tails rendrait tr\u00e8s facile la d\u00e9couverte d&#8217;un exploit&#8221;, a-t-il d\u00e9clar\u00e9.<\/p>\n<p>La nature f\u00e9d\u00e9r\u00e9e de la plate-forme signifie qu&#8217;elle fonctionne sur des serveurs distincts (alias instances), h\u00e9berg\u00e9s et exploit\u00e9s de mani\u00e8re ind\u00e9pendante par des administrateurs respectifs qui cr\u00e9ent leurs propres r\u00e8gles et r\u00e9glementations appliqu\u00e9es localement.<\/p>\n<p>Cela signifie \u00e9galement que non seulement chaque instance dispose d&#8217;un code de conduite, de conditions d&#8217;utilisation, d&#8217;une politique de confidentialit\u00e9 et de directives de mod\u00e9ration de contenu uniques, mais que cela oblige \u00e9galement chaque administrateur \u00e0 appliquer des mises \u00e0 jour de s\u00e9curit\u00e9 en temps opportun pour prot\u00e9ger les instances contre les risques potentiels.<\/p>\n<p>La divulgation intervient pr\u00e8s de sept mois apr\u00e8s que Mastodon a corrig\u00e9 deux autres failles critiques (CVE-2023-36460 et 2023-36459) qui auraient pu \u00eatre utilis\u00e9es par des adversaires pour provoquer un d\u00e9ni de service (DoS) ou r\u00e9aliser l&#8217;ex\u00e9cution de code \u00e0 distance.<\/p>\n<p><\/p>\n<div class=\"cf note-b\">Vous avez trouv\u00e9 cet article int\u00e9ressant ?  Suivez-nous sur <a rel=\"nofollow noopener\" href=\"https:\/\/twitter.com\/thehackersnews\" target=\"_blank\">Twitter <i class=\"icon-font icon-twitter\">\uf099<\/i><\/a>  et <a rel=\"nofollow noopener\" href=\"https:\/\/www.linkedin.com\/company\/thehackernews\/\" target=\"_blank\">LinkedIn<\/a> pour lire plus de contenu exclusif que nous publions.<\/div>\n<\/div>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><br \/>\n<br \/><br \/>\n<br \/><a href=\"https:\/\/thehackernews.com\/2024\/02\/mastodon-vulnerability-allows-hackers.html\" rel=\"nofollow noopener\" target=\"_blank\">ttn-fr-57<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\ue80203 f\u00e9vrier 2024\ue804R\u00e9dactionVuln\u00e9rabilit\u00e9 \/ M\u00e9dias Sociaux Le r\u00e9seau social d\u00e9centralis\u00e9 Mastodon a r\u00e9v\u00e9l\u00e9 une faille de s\u00e9curit\u00e9 critique qui permet \u00e0 des acteurs malveillants de usurper l&#8217;identit\u00e9 et de prendre le contr\u00f4le de n&#8217;importe quel compte. &#8220;En raison d&#8217;une validation d&#8217;origine insuffisante dans tous les Mastodon, les attaquants peuvent usurper l&#8217;identit\u00e9 et prendre le contr\u00f4le [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1131310,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[200292,507,4168,2205,4165,4161,200267,56748,31219,4159,4171,200271,73129,200268,13477,200269,200270,9701,4394,2661,128318,4172,4169,4166,3667,4164],"class_list":["post-1131309","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technologie","tag-actualites-sur-la-cybersecurite","tag-aux","tag-comment-pirater","tag-compte","tag-cyber-attaques","tag-cyber-mises-a-jour","tag-cyberactualites","tag-decentralise","tag-detourner","tag-lactualite-de-la-cybersecurite-aujourdhui","tag-lactualite-des-hackers","tag-logiciel-malveillant-rancongiciel","tag-mastodon","tag-mises-a-jour-sur-la-cybersecurite","tag-nimporte","tag-nouvelles-des-pirates","tag-nouvelles-sur-le-piratage","tag-permet","tag-pirates","tag-quel","tag-securite-des-informations","tag-securite-informatique","tag-securite-internet","tag-violation-de-donnees","tag-vulnerabilite","tag-vulnerabilite-logicielle"],"_links":{"self":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/1131309","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/comments?post=1131309"}],"version-history":[{"count":0,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/1131309\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/media\/1131310"}],"wp:attachment":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/media?parent=1131309"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/categories?post=1131309"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/tags?post=1131309"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}