Beware of Impersonation Attacks on Nexkey – Update Your App Now!

CVECVE-2023-49095
CVSScvssV3_1: 8.6
SourceCVE-2023-49095

Nexkey is a popular microblogging platform that allows users to share updates with their followers. Researchers recently discovered a vulnerability in Nexkey that could allow attackers to impersonate other users by forging ActivityPub requests.

ActivityPub is an open standard protocol that Nexkey and other platforms use to communicate updates between each other. By not properly validating these requests, attackers could potentially spoof requests from a user’s account and post updates while appearing as that user. This puts users at risk of having false information spread under their identity.

The technical details are complex, but essentially it involved insufficient validation of data in certain ActivityPub requests. Hackers studied how these requests worked and realized they could manipulate the “from” information to pretend to be any user. Once in the system under another user’s identity, they would have been able to post false updates and updates to followers.

Luckily, the Nexkey developers were promptly notified and released an update fixing the issue. Version 12.122.2 patches the vulnerability. All Nexkey users are strongly recommended to update their mobile and desktop apps immediately. You should also be cautious about requests from others until your apps have the latest security fixes.

With impersonation attacks, it’s important for users to stay vigilant and only trust information that comes directly from trusted contacts through official channels after ensuring their own accounts are secure. Keep software and apps updated to protect from emerging vulnerabilities.

References